--- /dev/null
+# See man 5 aliases for format
+MAILER-DAEMON: postmaster
+postmaster: root
+root: frank
+
+# General redirections for pseudo accounts.
+adm: root
+bin: root
+daemon: root
+exim: root
+lp: root
+mail: root
+named: root
+nobody: root
+postfix: root
+
+# Well-known aliases -- these should be filled in!
+# root:
+# operator:
+
+# Standard RFC2142 aliases
+abuse: postmaster
+ftp: root
+hostmaster: root
+news: usenet
+noc: root
+security: root
+usenet: root
+uucp: root
+webmaster: root
+www: webmaster
+
+# trap decode to catch security attacks
+# decode: /dev/null
+
+# Persönliche Aliase
+
+# Frank Brehm
+frank: frank@brehm-online.com
+fbr: frank
+brehm: frank
+fbrehm: frank
+f.brehm: frank
+f-brehm: frank
+frank.brehm: frank
+frank-brehm: frank
+
+
+
--- /dev/null
+/usr/bin/heirloom-mailx
\ No newline at end of file
--- /dev/null
+/usr/share/man/man1/heirloom-mailx.1.gz
\ No newline at end of file
--- /dev/null
+/usr/bin/figlet-figlet
\ No newline at end of file
--- /dev/null
+/usr/share/man/man6/figlet-figlet.6.gz
\ No newline at end of file
--- /dev/null
+/usr/bin/heirloom-mailx
\ No newline at end of file
--- /dev/null
+/usr/share/man/man1/heirloom-mailx.1.gz
\ No newline at end of file
--- /dev/null
+/usr/bin/heirloom-mailx
\ No newline at end of file
--- /dev/null
+/usr/share/man/man1/heirloom-mailx.1.gz
\ No newline at end of file
--- /dev/null
+#!/bin/sh
+
+# Placed in /etc/apm/event.d by the chrony package at the instruction of
+# the apmd maintainer. If you don't have apm and don't intend to install
+# apmd you may remove it. It needs to run after 00hwclock but before any
+# other scripts.
+
+
+[ -x /usr/sbin/chronyd ] || exit 0
+
+if [ "$1" = suspend ]; then
+ invoke-rc.d chrony stop
+elif [ "$1" = standby ]; then
+ invoke-rc.d chrony stop
+elif [ "$1" = resume ]; then
+ invoke-rc.d chrony start
+fi
--- /dev/null
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.22 (GNU/Linux)
+
+mQENBFOpvpgBCADkP656H41i8fpplEEB8IeLhugyC2rTEwwSclb8tQNYtUiGdna9
+m38kb0OS2DDrEdtdQb2hWCnswxaAkUunb2qq18vd3dBvlnI+C4/xu5ksZZkRj+fW
+tArNR18V+2jkwcG26m8AxIrT+m4M6/bgnSfHTBtT5adNfVcTHqiT1JtCbQcXmwVw
+WbqS6v/LhcsBE//SHne4uBCK/GHxZHhQ5jz5h+3vWeV4gvxS3Xu6v1IlIpLDwUts
+kT1DumfynYnnZmWTGc6SYyIFXTPJLtnoWDb9OBdWgZxXfHEcBsKGha+bXO+m2tHA
+gNneN9i5f8oNxo5njrL8jkCckOpNpng18BKXABEBAAG0MlNhbHRTdGFjayBQYWNr
+YWdpbmcgVGVhbSA8cGFja2FnaW5nQHNhbHRzdGFjay5jb20+iQE4BBMBAgAiBQJT
+qb6YAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAOCKFJ3le/vhkqB/0Q
+WzELZf4d87WApzolLG+zpsJKtt/ueXL1W1KA7JILhXB1uyvVORt8uA9FjmE083o1
+yE66wCya7V8hjNn2lkLXboOUd1UTErlRg1GYbIt++VPscTxHxwpjDGxDB1/fiX2o
+nK5SEpuj4IeIPJVE/uLNAwZyfX8DArLVJ5h8lknwiHlQLGlnOu9ulEAejwAKt9CU
+4oYTszYM4xrbtjB/fR+mPnYh2fBoQO4d/NQiejIEyd9IEEMd/03AJQBuMux62tjA
+/NwvQ9eqNgLw9NisFNHRWtP4jhAOsshv1WW+zPzu3ozoO+lLHixUIz7fqRk38q8Q
+9oNR31KvrkSNrFbA3D89uQENBFOpvpgBCADJ79iH10AfAfpTBEQwa6vzUI3Eltqb
+9aZ0xbZV8V/8pnuU7rqM7Z+nJgldibFk4gFG2bHCG1C5aEH/FmcOMvTKDhJSFQUx
+uhgxttMArXm2c22OSy1hpsnVG68G32Nag/QFEJ++3hNnbyGZpHnPiYgej3FrerQJ
+zv456wIsxRDMvJ1NZQB3twoCqwapC6FJE2hukSdWB5yCYpWlZJXBKzlYz/gwD/Fr
+GL578WrLhKw3UvnJmlpqQaDKwmV2s7MsoZogC6wkHE92kGPG2GmoRD3ALjmCvN1E
+PsIsQGnwpcXsRpYVCoW7e2nW4wUf7IkFZ94yOCmUq6WreWI4NggRcFC5ABEBAAGJ
+AR8EGAECAAkFAlOpvpgCGwwACgkQDgihSd5Xv74/NggA08kEdBkiWWwJZUZEy7cK
+WWcgjnRuOHd4rPeT+vQbOWGu6x4bxuVf9aTiYkf7ZjVF2lPn97EXOEGFWPZeZbH4
+vdRFH9jMtP+rrLt6+3c9j0M8SIJYwBL1+CNpEC/BuHj/Ra/cmnG5ZNhYebm76h5f
+T9iPW9fFww36FzFka4VPlvA4oB7ebBtquFg3sdQNU/MmTVV4jPFWXxh4oRDDR+8N
+1bcPnbB11b5ary99F/mqr7RgQ+YFF0uKRE3SKa7a+6cIuHEZ7Za+zhPaQlzAOZlx
+fuBmScum8uQTrEF5+Um5zkwC7EXTdH1co/+/V/fpOtxIg4XO4kcugZefVm5ERfVS
+MA==
+=dtMN
+-----END PGP PUBLIC KEY BLOCK-----
APT::NeverAutoRemove
{
"^linux-image-3\.16\.0-4-amd64$";
+ "^linux-image-4\.3\.0-0\.bpo\.1-amd64$";
"^linux-headers-3\.16\.0-4-amd64$";
+ "^linux-headers-4\.3\.0-0\.bpo\.1-amd64$";
"^linux-image-extra-3\.16\.0-4-amd64$";
+ "^linux-image-extra-4\.3\.0-0\.bpo\.1-amd64$";
"^linux-signed-image-3\.16\.0-4-amd64$";
+ "^linux-signed-image-4\.3\.0-0\.bpo\.1-amd64$";
"^kfreebsd-image-3\.16\.0-4-amd64$";
+ "^kfreebsd-image-4\.3\.0-0\.bpo\.1-amd64$";
"^kfreebsd-headers-3\.16\.0-4-amd64$";
+ "^kfreebsd-headers-4\.3\.0-0\.bpo\.1-amd64$";
"^gnumach-image-3\.16\.0-4-amd64$";
+ "^gnumach-image-4\.3\.0-0\.bpo\.1-amd64$";
"^.*-modules-3\.16\.0-4-amd64$";
+ "^.*-modules-4\.3\.0-0\.bpo\.1-amd64$";
"^.*-kernel-3\.16\.0-4-amd64$";
+ "^.*-kernel-4\.3\.0-0\.bpo\.1-amd64$";
"^linux-backports-modules-.*-3\.16\.0-4-amd64$";
+ "^linux-backports-modules-.*-4\.3\.0-0\.bpo\.1-amd64$";
"^linux-tools-3\.16\.0-4-amd64$";
+ "^linux-tools-4\.3\.0-0\.bpo\.1-amd64$";
};
--- /dev/null
+deb http://repo.saltstack.com/apt/debian/8/amd64/latest jessie main
--- /dev/null
+# apticron.conf
+#
+# set EMAIL to a space separated list of addresses which will be notified of
+# impending updates
+#
+EMAIL="root"
+
+#
+# Set DIFF_ONLY to "1" to only output the difference of the current run
+# compared to the last run (ie. only new upgrades since the last run). If there
+# are no differences, no output/email will be generated. By default, apticron
+# will output everything that needs to be upgraded.
+#
+# DIFF_ONLY="1"
+
+#
+# Set LISTCHANGES_PROFILE if you would like apticron to invoke apt-listchanges
+# with the --profile option. You should add a corresponding profile to
+# /etc/apt/listchanges.conf
+#
+# LISTCHANGES_PROFILE="apticron"
+
+#
+# From hostname manpage: "Displays all FQDNs of the machine. This option
+# enumerates all configured network addresses on all configured network inter‐
+# faces, and translates them to DNS domain names. Addresses that cannot be
+# translated (i.e. because they do not have an appro‐ priate reverse DNS
+# entry) are skipped. Note that different addresses may resolve to the same
+# name, therefore the output may contain duplicate entries. Do not make any
+# assumptions about the order of the output."
+#
+# ALL_FQDNS="1"
+
+#
+# Set SYSTEM if you would like apticron to use something other than the output
+# of "hostname -f" for the system name in the mails it generates. This option
+# overrides the ALL_FQDNS above.
+#
+# SYSTEM="foobar.example.com"
+
+#
+# Set IPADDRESSNUM if you would like to configure the maximal number of IP
+# addresses apticron displays. The default is to display 1 address of each
+# family type (inet, inet6), if available.
+#
+# IPADDRESSNUM="1"
+
+#
+# Set IPADDRESSES to a whitespace separated list of reachable addresses for
+# this system. By default, apticron will try to work these out using the
+# "ip" command
+#
+# IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
+
+#
+# Set NOTIFY_HOLDS="0" if you don't want to be notified about new versions of
+# packages on hold in your system. The default behavior is downloading and
+# listing them as any other package.
+#
+# NOTIFY_HOLDS="0"
+
+#
+# Set NOTIFY_NEW="0" if you don't want to be notified about packages which
+# are not installed in your system. Yes, it's possible! There are some issues
+# related to systems which have mixed stable/unstable sources. In these cases
+# apt-get will consider for example that packages with "Priority:
+# required"/"Essential: yes" in unstable but not in stable should be installed,
+# so they will be listed in dist-upgrade output. Please take a look at
+# http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=531002#44
+#
+# NOTIFY_NEW="0"
+
+#
+# Set NOTIFY_NO_UPDATES="0" if you don't want to be notified when there is no
+# new versions. Set to 1 could assure you that apticron works well.
+#
+# NOTIFY_NO_UPDATES="0"
+
+#
+# Set CUSTOM_SUBJECT if you want to replace the default subject used in
+# the notification e-mails. This may help filtering/sorting client-side e-mail.
+# If you want to use internal vars please use single quotes here. Ex:
+# $CUSTOM_SUBJECT='[apticron] $SYSTEM: $NUM_PACKAGES package update(s)'
+#
+# CUSTOM_SUBJECT=""
+
+# Set CUSTOM_NO_UPDATES_SUBJECT if you want to replace the default subject used
+# in the no update notification e-mails. This may help filtering/sorting
+# client-side e-mail.
+# If you want to use internal vars please use single quotes here. Ex:
+# $CUSTOM_NO_UPDATES_SUBJECT='[apticron] $SYSTEM: no updates'
+#
+# CUSTOM_NO_UPDATES_SUBJECT=""
+
+#
+# Set CUSTOM_FROM if you want to replace the default sender by changing the
+# 'From:' field used in the notification e-mails. Your default sender will
+# be something like root@ns2.
+#
+# CUSTOM_FROM=""
--- /dev/null
+# fail2ban bash-completion -*- shell-script -*-
+#
+# This file is part of Fail2Ban.
+#
+# Fail2Ban is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# Fail2Ban is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Fail2Ban; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+__fail2ban_jails () {
+ "$1" status 2>/dev/null | awk -F"\t+" '/Jail list/{print $2}' | sed 's/, / /g'
+}
+
+_fail2ban () {
+ local cur prev words cword
+ _init_completion || return
+
+ case $prev in
+ -V|--version|-h|--help)
+ return 0 # No further completion valid
+ ;;
+ -c)
+ _filedir -d # Directories
+ return 0
+ ;;
+ -s|-p)
+ _filedir # Files
+ return 0
+ ;;
+ *)
+ if [[ "$cur" == "-"* ]];then
+ COMPREPLY=( $( compgen -W \
+ "$( _parse_help "$1" --help 2>/dev/null) -V" \
+ -- "$cur") )
+ return 0
+ fi
+ ;;
+ esac
+
+ if [[ "$1" == *"fail2ban-regex" ]];then
+ _filedir
+ return 0
+ elif [[ "$1" == *"fail2ban-client" ]];then
+ local cmd jail
+ case $prev in
+ "$1")
+ COMPREPLY=( $( compgen -W \
+ "$( "$1" --help 2>/dev/null | awk '/^ [a-z]+/{print $1}')" \
+ -- "$cur") )
+ return 0
+ ;;
+ start|reload|stop|status)
+ COMPREPLY=( $(compgen -W "$(__fail2ban_jails "$1")" -- "$cur" ) )
+ return 0
+ ;;
+ set|get)
+ COMPREPLY=( $( compgen -W \
+ "$( "$1" --help 2>/dev/null | awk '/^ '$prev' [^<]/{print $2}')" \
+ -- "$cur") )
+ COMPREPLY+=( $(compgen -W "$(__fail2ban_jails "$1")" -- "$cur" ) )
+ return 0
+ ;;
+ *)
+ if [[ "${words[$cword-2]}" == "add" ]];then
+ COMPREPLY=( $( compgen -W "auto polling gamin pyinotify" -- "$cur" ) )
+ return 0
+ elif [[ "${words[$cword-2]}" == "set" || "${words[$cword-2]}" == "get" ]];then
+ cmd="${words[cword-2]}"
+ # Handle in section below
+ elif [[ "${words[$cword-3]}" == "set" || "${words[$cword-3]}" == "get" ]];then
+ cmd="${words[$cword-3]}"
+ jail="${words[$cword-2]}"
+ # Handle in section below
+ fi
+ ;;
+ esac
+
+ if [[ -z "$jail" && -n "$cmd" ]];then
+ case $prev in
+ loglevel)
+ if [[ "$cmd" == "set" ]];then
+ COMPREPLY=( $( compgen -W "0 1 2 3 4" -- "$cur" ) )
+ fi
+ return 0
+ ;;
+ logtarget)
+ if [[ "$cmd" == "set" ]];then
+ COMPREPLY=( $( compgen -W "STDOUT STDERR SYSLOG" -- "$cur" ) )
+ _filedir # And files
+ fi
+ return 0
+ ;;
+ *) # Jail name
+ COMPREPLY=( $( compgen -W \
+ "$( "$1" --help 2>/dev/null | awk '/^ '${cmd}' <JAIL>/{print $3}')" \
+ -- "$cur") )
+ return 0
+ ;;
+ esac
+ elif [[ -n "$jail" && "$cmd" == "set" ]];then
+ case $prev in
+ addlogpath)
+ _filedir
+ return 0
+ ;;
+ dellogpath|delignoreip)
+ COMPREPLY=( $( compgen -W \
+ "$( "$1" get "$jail" "${prev/del/}" 2>/dev/null | awk -F- '{print $2}')" \
+ -- "$cur" ) )
+ if [[ -z "$COMPREPLY" && "$prev" == "dellogpath" ]];then
+ _filedir
+ fi
+ return 0
+ ;;
+ delfailregex|delignoregex)
+ COMPREPLY=( $( compgen -W \
+ "$( "$1" get "$jail" "${prev/del/}" 2>/dev/null | awk -F"[][]" '{print $2}')" \
+ -- "$cur" ) )
+ return 0
+ ;;
+ unbanip)
+ COMPREPLY=( $( compgen -W \
+ "$( "$1" status "$jail" 2>/dev/null | awk -F"\t+" '/IP list:/{print $2}')" \
+ -- "$cur" ) )
+ return 0
+ ;;
+ idle)
+ COMPREPLY=( $( compgen -W "on off" -- "$cur" ) )
+ return 0
+ ;;
+ usedns)
+ COMPREPLY=( $( compgen -W "yes no warn" -- "$cur" ) )
+ return 0
+ ;;
+ esac
+ fi
+
+ fi # fail2ban-client
+} &&
+complete -F _fail2ban fail2ban-client fail2ban-server fail2ban-regex
--- /dev/null
+# /etc/bash_completion.d/isoquery
+# Programmable Bash command completion for the ‘isoquery’ command.
+
+shopt -s progcomp
+
+_isoquery_completion () {
+ local cur prev opts
+
+ COMPREPLY=()
+ cur="${COMP_WORDS[COMP_CWORD]}"
+ prev="${COMP_WORDS[COMP_CWORD-1]}"
+
+ opts="-h --help -v --version"
+ opts="${opts} -i --iso -x --xmlfile -l --locale -0 --null"
+ opts="${opts} -n --name -o --official_name -c --common_name"
+
+ case "${prev}" in
+ -i|--iso)
+ local standards=(639 639-3 639-5 3166 3166-2 4217 15924)
+ COMPREPLY=( $(compgen -W "${standards[*]}" -- ${cur}) )
+ ;;
+
+ -x|--xmlfile)
+ COMPREPLY=( $(compgen -A file -- ${cur}) )
+ ;;
+
+ -l|--locale)
+ local locale_names=$(locale --all-locales)
+ COMPREPLY=( $(compgen -W "${locale_names}" -- ${cur}) )
+ ;;
+
+ *)
+ COMPREPLY=($(compgen -W "${opts}" -- ${cur}))
+ ;;
+ esac
+}
+
+complete -F _isoquery_completion isoquery
+
+
+# Local variables:
+# coding: utf-8
+# mode: shell-script
+# End:
+# vim: fileencoding=utf-8 filetype=bash :
--- /dev/null
+# This the default chrony.conf file for the Debian chrony package. After
+# editing this file use the command 'invoke-rc.d chrony restart' to make
+# your changes take effect. John Hasler <jhasler@debian.org> 1998-2008
+
+# See www.pool.ntp.org for an explanation of these servers. Please
+# consider joining the project if possible. If you can't or don't want to
+# use these servers I suggest that you try your ISP's nameservers. We mark
+# the servers 'offline' so that chronyd won't try to connect when the link
+# is down. Scripts in /etc/ppp/ip-up.d and /etc/ppp/ip-down.d use chronyc
+# commands to switch it on when a dialup link comes up and off when it goes
+# down. Code in /etc/init.d/chrony attempts to determine whether or not
+# the link is up at boot time and set the online status accordingly. If
+# you have an always-on connection such as cable omit the 'offline'
+# directive and chronyd will default to online.
+#
+# Note that if Chrony tries to go "online" and dns lookup of the servers
+# fails they will be discarded. Thus under some circumstances it is
+# better to use IP numbers than host names.
+
+server 0.debian.pool.ntp.org offline minpoll 8
+server 1.debian.pool.ntp.org offline minpoll 8
+server 2.debian.pool.ntp.org offline minpoll 8
+server 3.debian.pool.ntp.org offline minpoll 8
+
+
+# Look here for the admin password needed for chronyc. The initial
+# password is generated by a random process at install time. You may
+# change it if you wish.
+
+keyfile /etc/chrony/chrony.keys
+
+# Set runtime command key. Note that if you change the key (not the
+# password) to anything other than 1 you will need to edit
+# /etc/ppp/ip-up.d/chrony, /etc/ppp/ip-down.d/chrony, /etc/init.d/chrony
+# and /etc/cron.weekly/chrony as these scripts use it to get the password.
+
+commandkey 1
+
+# I moved the driftfile to /var/lib/chrony to comply with the Debian
+# filesystem standard.
+
+driftfile /var/lib/chrony/chrony.drift
+
+# Comment this line out to turn off logging.
+
+log tracking measurements statistics
+logdir /var/log/chrony
+
+# Stop bad estimates upsetting machine clock.
+
+maxupdateskew 100.0
+
+# Dump measurements when daemon exits.
+
+dumponexit
+
+# Specify directory for dumping measurements.
+
+dumpdir /var/lib/chrony
+
+# Let computer be a server when it is unsynchronised.
+
+local stratum 10
+
+# Allow computers on the unrouted nets to use the server.
+
+allow 10/8
+allow 192.168/16
+allow 172.16/12
+
+# This directive forces `chronyd' to send a message to syslog if it
+# makes a system clock adjustment larger than a threshold value in seconds.
+
+logchange 0.5
+
+# This directive defines an email address to which mail should be sent
+# if chronyd applies a correction exceeding a particular threshold to the
+# system clock.
+
+# mailonchange root@localhost 0.5
+
+# This directive tells chrony to regulate the real-time clock and tells it
+# Where to store related data. It may not work on some newer motherboards
+# that use the HPET real-time clock. It requires enhanced real-time
+# support in the kernel. I've commented it out because with certain
+# combinations of motherboard and kernel it is reported to cause lockups.
+
+# rtcfile /var/lib/chrony/chrony.rtc
+
+# If the last line of this file reads 'rtconutc' chrony will assume that
+# the CMOS clock is on UTC (GMT). If it reads '# rtconutc' or is absent
+# chrony will assume local time. The line (if any) was written by the
+# chrony postinst based on what it found in /etc/default/rcS. You may
+# change it if necessary.
+# rtconutc
--- /dev/null
+1 2DiH7BB#
--- /dev/null
+# Example colordiffrc file for dark backgrounds
+#
+# Set banner=no to suppress authorship info at top of
+# colordiff output
+banner=no
+# By default, when colordiff output is being redirected
+# to a file, it detects this and does not colour-highlight
+# To make the patch file *include* colours, change the option
+# below to 'yes'
+color_patches=no
+# Sometimes it can be useful to specify which diff command to
+# use: that can be specified here
+diff_cmd=diff
+#
+# available colours are: white, yellow, green, blue,
+# cyan, red, magenta, black,
+# darkwhite, darkyellow, darkgreen,
+# darkblue, darkcyan, darkred,
+# darkmagenta, darkblack
+#
+# Can also specify 'none', 'normal' or 'off' which are all
+# aliases for the same thing, namely "don't colour highlight
+# this, use the default output colour"
+#
+plain=off
+newtext=blue
+oldtext=red
+diffstuff=magenta
+cvsstuff=green
--- /dev/null
+# cron entry for apticron
+
+28 * * * * root if test -x /usr/sbin/apticron; then /usr/sbin/apticron --cron; else true; fi
--- /dev/null
+# This file is part of Fail2Ban.
+#
+# Fail2Ban is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# Fail2Ban is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Fail2Ban; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+# Author: Cyril Jaquier
+#
+# $Revision$
+
+# Command line options for Fail2Ban. Refer to "fail2ban-client -h" for
+# valid options.
+FAIL2BAN_OPTS=""
+
+# Run fail2ban as a different user. If not set, fail2ban
+# will run as root.
+#
+# The user is not created automatically.
+# The user can be created e.g. with
+# useradd --system --no-create-home --home-dir / --groups adm fail2ban
+# Log files are readable by group adm by default. Adding the fail2ban
+# user to this group allows it to read the logfiles.
+#
+# Another manual step that needs to be taken is to allow write access
+# for fail2ban user to fail2ban log files. The /etc/init.d/fail2ban
+# script will change the ownership when starting fail2ban. Logrotate
+# needs to be configured separately, see /etc/logrotate.d/fail2ban.
+#
+# FAIL2BAN_USER="fail2ban"
--- /dev/null
+# Configuration file for haveged
+
+# Options to pass to haveged:
+# -w sets low entropy watermark (in bits)
+DAEMON_ARGS="-w 1024"
--- /dev/null
+# defaults file for rsync daemon mode
+
+# start rsync in daemon mode from init.d script?
+# only allowed values are "true", "false", and "inetd"
+# Use "inetd" if you want to start the rsyncd from inetd,
+# all this does is prevent the init.d script from printing a message
+# about not starting rsyncd (you still need to modify inetd's config yourself).
+RSYNC_ENABLE=false
+
+# which file should be used as the configuration file for rsync.
+# This file is used instead of the default /etc/rsyncd.conf
+# Warning: This option has no effect if the daemon is accessed
+# using a remote shell. When using a different file for
+# rsync you might want to symlink /etc/rsyncd.conf to
+# that file.
+# RSYNC_CONFIG_FILE=
+
+# what extra options to give rsync --daemon?
+# that excludes the --daemon; that's always done in the init.d script
+# Possibilities are:
+# --address=123.45.67.89 (bind to a specific IP address)
+# --port=8730 (bind to specified port; default 873)
+RSYNC_OPTS=''
+
+# run rsyncd at a nice level?
+# the rsync daemon can impact performance due to much I/O and CPU usage,
+# so you may want to run it at a nicer priority than the default priority.
+# Allowed values are 0 - 19 inclusive; 10 is a reasonable value.
+RSYNC_NICE=''
+
+# run rsyncd with ionice?
+# "ionice" does for IO load what "nice" does for CPU load.
+# As rsync is often used for backups which aren't all that time-critical,
+# reducing the rsync IO priority will benefit the rest of the system.
+# See the manpage for ionice for allowed options.
+# -c3 is recommended, this will run rsync IO at "idle" priority. Uncomment
+# the next line to activate this.
+# RSYNC_IONICE='-c3'
+
+# Don't forget to create an appropriate config file,
+# else the daemon will not start.
--- /dev/null
+#!/bin/sh
+
+# Don't overwrite /etc/resolv.conf
+make_resolv_conf() {
+ :
+}
--- /dev/null
+# Fail2Ban configuration file
+# https://www.rfxn.com/projects/advanced-policy-firewall/
+#
+# Note: APF doesn't play nicely with other actions. It has been observed to
+# remove bans created by other iptables based actions. If you are going to use
+# this action, use it for all of your jails.
+#
+# DON'T MIX APF and other IPTABLES based actions
+[Definition]
+
+actionstart =
+actionstop =
+actioncheck =
+actionban = apf --deny <ip> "banned by Fail2Ban <name>"
+actionunban = apf --remove <ip>
+
+[Init]
+
+# Name used in APF configuration
+#
+name = default
+
+# DEV NOTES:
+#
+# Author: Mark McKinstry
--- /dev/null
+# Fail2ban reporting to badips.com
+#
+# Note: This reports and IP only and does not actually ban traffic. Use
+# another action in the same jail if you want bans to occur.
+#
+# Set the category to the appropriate value before use.
+#
+# To get see register and optional key to get personalised graphs see:
+# http://www.badips.com/blog/personalized-statistics-track-the-attackers-of-all-your-servers-with-one-key
+
+[Definition]
+
+actionban = curl --fail --user-agent "fail2ban v0.8.12" http://www.badips.com/add/<category>/<ip>
+
+[Init]
+
+# Option: category
+# Notes.: Values are from the list here: http://www.badips.com/get/categories
+category =
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Steven Hiscocks
+#
+#
+
+# Action to report IP address to blocklist.de
+# Blocklist.de must be signed up to at www.blocklist.de
+# Once registered, one or more servers can be added.
+# This action requires the server 'email address' and the assoicate apikey.
+#
+# From blocklist.de:
+# www.blocklist.de is a free and voluntary service provided by a
+# Fraud/Abuse-specialist, whose servers are often attacked on SSH-,
+# Mail-Login-, FTP-, Webserver- and other services.
+# The mission is to report all attacks to the abuse deparments of the
+# infected PCs/servers to ensure that the responsible provider can inform
+# the customer about the infection and disable them
+#
+# IMPORTANT:
+#
+# Reporting an IP of abuse is a serious complaint. Make sure that it is
+# serious. Fail2ban developers and network owners recommend you only use this
+# action for:
+# * The recidive where the IP has been banned multiple times
+# * Where maxretry has been set quite high, beyond the normal user typing
+# password incorrectly.
+# * For filters that have a low likelyhood of receiving human errors
+#
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart =
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop =
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = curl --fail --data-urlencode 'server=<email>' --data 'apikey=<apikey>' --data 'service=<service>' --data 'ip=<ip>' --data-urlencode 'logs=<matches>' --data 'format=text' --user-agent "fail2ban v0.8.12" "https://www.blocklist.de/en/httpreports.html"
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban =
+
+[Init]
+
+# Option: email
+# Notes server email address, as per blocklise.de account
+# Values: STRING Default: None
+#
+#email =
+
+# Option: apikey
+# Notes your user blocklist.de user account apikey
+# Values: STRING Default: None
+#
+#apikey =
+
+# Option: service
+# Notes service name you are reporting on, typically aligns with filter name
+# see http://www.blocklist.de/en/httpreports.html for full list
+# Values: STRING Default: None
+#
+#service =
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Nick Munger
+# Modified by: Ken Menzel
+# Daniel Black (start/stop)
+# Fabian Wenk (many ideas as per fail2ban users list)
+#
+# Ensure firewall_enable="YES" in the top of /etc/rc.conf
+#
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart = ipfw show | fgrep -q 'table(<table>)' || ( ipfw show | awk 'BEGIN { b = 1 } { if ($1 <= b) { b = $1 + 1 } else { e = b } } END { if (e) exit e <br> else exit b }'; num=$?; ipfw -q add $num <blocktype> <block> from table\(<table>\) to me <port>; echo $num > "<startstatefile>" )
+
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = [ ! -f <startstatefile> ] || ( read num < "<startstatefile>" <br> ipfw -q delete $num <br> rm "<startstatefile>" )
+
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+# requires an ipfw rule like "deny ip from table(1) to me"
+actionban = ipfw table <table> add <ip>
+
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban = ipfw table <table> delete <ip>
+
+[Init]
+# Option: table
+# Notes: The ipfw table to use. If a ipfw rule using this table already exists,
+# this action will not create a ipfw rule to block it and the following
+# options will have no effect.
+# Values: NUM
+table = 1
+
+# Option: port
+# Notes.: Specifies port to monitor. Blank indicate block all ports.
+# Values: [ NUM | STRING ]
+#
+port =
+
+# Option: startstatefile
+# Notes: A file to indicate that the table rule that was added. Ensure it is unique per table.
+# Values: STRING
+startstatefile = /var/run/fail2ban/ipfw-started-table_<table>
+
+# Option: block
+# Notes: This is how much to block.
+# Can be "ip", "tcp", "udp" or various other options.
+# Values: STRING
+block = ip
+
+# Option: blocktype
+# Notes.: How to block the traffic. Use a action from man 5 ipfw
+# Common values: deny, unreach port, reset
+# ACTION defination at the top of man ipfw for allowed values.
+# Values: STRING
+#
+blocktype = unreach port
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Russell Odom <russ@gloomytrousers.co.uk>, Daniel Black
+# Sends a complaint e-mail to addresses listed in the whois record for an
+# offending IP address.
+# This uses the https://abusix.com/contactdb.html to lookup abuse contacts.
+#
+# DEPENDANCIES:
+# This requires the dig command from bind-utils
+#
+# You should provide the <logpath> in the jail config - lines from the log
+# matching the given IP address will be provided in the complaint as evidence.
+#
+# WARNING
+# -------
+#
+# Please do not use this action unless you are certain that fail2ban
+# does not result in "false positives" for your deployment. False
+# positive reports could serve a mis-favor to the original cause by
+# flooding corresponding contact addresses, and complicating the work
+# of administration personnel responsible for handling (verified) legit
+# complains.
+#
+# Please consider using e.g. sendmail-whois-lines.conf action which
+# would send the reports with relevant information to you, so the
+# report could be first reviewed and then forwarded to a corresponding
+# contact if legit.
+#
+
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart =
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop =
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = oifs=${IFS}; IFS=.;SEP_IP=( <ip> ); set -- ${SEP_IP}; ADDRESSES=$(dig +short -t txt -q $4.$3.$2.$1.abuse-contacts.abusix.org); IFS=${oifs}
+ IP=<ip>
+ if [ ! -z "$ADDRESSES" ]; then
+ (printf %%b "<message>\n"; date '+Note: Local timezone is %%z (%%Z)'; grep -E '(^|[^0-9])<ip>([^0-9]|$)' <logpath>) | <mailcmd> "Abuse from <ip>" <mailargs> ${ADDRESSES//,/\" \"}
+ fi
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban =
+
+[Init]
+message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to a abusix.com is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process.)\n\n This mail was generated by Fail2Ban.\nThe recipient address of this report was provided by the Abuse Contact DB by abusix.com. abusix.com does not maintain the content of the database. All information which we pass out, derives from the RIR databases and is processed for ease of use. If you want to change or report non working abuse contacts please contact the appropriate RIR. If you have any further question, contact abusix.com directly via email (info@abusix.com). Information about the Abuse Contact Database can be found here: https://abusix.com/global-reporting/abuse-contact-db\nabusix.com is neither responsible nor liable for the content or accuracy of this message.\n
+
+# Path to the log files which contain relevant lines for the abuser IP
+#
+logpath = /dev/null
+
+# Option: mailcmd
+# Notes.: Your system mail command. Is passed 2 args: subject and recipient
+# Values: CMD
+#
+mailcmd = mail -s
+
+# Option: mailargs
+# Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
+# CC reports to another address:
+# -c me@example.com
+# Appear to come from a different address - the '--' indicates
+# arguments to be passed to Sendmail:
+# -- -f me@example.com
+# Values: [ STRING ]
+#
+mailargs =
+
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Russell Odom <russ@gloomytrousers.co.uk>
+# Submits attack reports to DShield (http://www.dshield.org/)
+#
+# You MUST configure at least:
+# <port> (the port that's being attacked - use number not name).
+#
+# You SHOULD also provide:
+# <myip> (your public IP address, if it's not the address of eth0)
+# <userid> (your DShield userID, if you have one - recommended, but reports will
+# be used anonymously if not)
+# <protocol> (the protocol in use - defaults to tcp)
+#
+# Best practice is to provide <port> and <protocol> in jail.conf like this:
+# action = dshield[port=1234,protocol=tcp]
+#
+# ...and create "dshield.local" with contents something like this:
+# [Init]
+# myip = 10.0.0.1
+# userid = 12345
+#
+# Other useful configuration values are <mailargs> (you can use for specifying
+# a different sender address for the report e-mails, which should match what is
+# configured at DShield), and <lines>/<minreportinterval>/<maxbufferage> (to
+# configure how often the buffer is flushed).
+#
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart =
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = if [ -f <tmpfile>.buffer ]; then
+ cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" <mailargs> <dest>
+ date +%%s > <tmpfile>.lastsent
+ fi
+ rm -f <tmpfile>.buffer <tmpfile>.first
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+# See http://www.dshield.org/specs.html for more on report format/notes
+#
+# Note: We are currently using <time> for the timestamp because no tag is
+# available to indicate the timestamp of the log message(s) which triggered the
+# ban. Therefore the timestamps we are using in the report, whilst often only a
+# few seconds out, are incorrect. See
+# http://sourceforge.net/tracker/index.php?func=detail&aid=2017795&group_id=121032&atid=689047
+#
+actionban = TZONE=`date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'`
+ DATETIME="`perl -e '@t=localtime(<time>);printf "%%4d-%%02d-%%02d %%02d:%%02d:%%02d",1900+$t[5],$t[4]+1,$t[3],$t[2],$t[1],$t[0]'` $TZONE"
+ PROTOCOL=`awk '{IGNORECASE=1;if($1=="<protocol>"){print $2;exit}}' /etc/protocols`
+ if [ -z "$PROTOCOL" ]; then PROTOCOL=<protocol>; fi
+ printf %%b "$DATETIME\t<userid>\t<failures>\t<ip>\t<srcport>\t<myip>\t<port>\t$PROTOCOL\t<tcpflags>\n" >> <tmpfile>.buffer
+ NOW=`date +%%s`
+ if [ ! -f <tmpfile>.first ]; then
+ echo <time> | cut -d. -f1 > <tmpfile>.first
+ fi
+ if [ ! -f <tmpfile>.lastsent ]; then
+ echo 0 > <tmpfile>.lastsent
+ fi
+ LOGAGE=$(($NOW - `cat <tmpfile>.first`))
+ LASTREPORT=$(($NOW - `cat <tmpfile>.lastsent`))
+ LINES=$( wc -l <tmpfile>.buffer | awk '{ print $1 }' )
+ if [ $LINES -ge <lines> && $LASTREPORT -gt <minreportinterval> ] || [ $LOGAGE -gt <maxbufferage> ]; then
+ cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ $TZONE Fail2Ban" <mailargs> <dest>
+ rm -f <tmpfile>.buffer <tmpfile>.first
+ echo $NOW > <tmpfile>.lastsent
+ fi
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban = if [ -f <tmpfile>.first ]; then
+ NOW=`date +%%s`
+ LOGAGE=$(($NOW - `cat <tmpfile>.first`))
+ if [ $LOGAGE -gt <maxbufferage> ]; then
+ cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" <mailargs> <dest>
+ rm -f <tmpfile>.buffer <tmpfile>.first
+ echo $NOW > <tmpfile>.lastsent
+ fi
+ fi
+
+
+[Init]
+# Option: port
+# Notes.: The target port for the attack (numerical). MUST be provided in the
+# jail config, as it cannot be detected here.
+# Values: [ NUM ]
+#
+port = ???
+
+# Option: userid
+# Notes.: Your DShield user ID. Should be provided either in the jail config or
+# in a .local file.
+# Register at https://secure.dshield.org/register.html
+# Values: [ NUM ]
+#
+userid = 0
+
+# Option: myip
+# Notes.: The target IP for the attack (your public IP). Should be provided
+# either in the jail config or in a .local file unless your PUBLIC IP
+# is the first IP assigned to eth0
+# Values: [ an IP address ] Default: Tries to find the IP address of eth0,
+# which in most cases will be a private IP, and therefore incorrect
+#
+myip = `ip -4 addr show dev eth0 | grep inet | head -n 1 | sed -r 's/.*inet ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*/\1/'`
+
+# Option: protocol
+# Notes.: The protocol over which the attack is happening
+# Values: [ tcp | udp | icmp | (any other protocol name from /etc/protocols) | NUM ] Default: tcp
+#
+protocol = tcp
+
+# Option: lines
+# Notes.: How many lines to buffer before making a report. Regardless of this,
+# reports are sent a minimum of <minreportinterval> apart, or if the
+# buffer contains an event over <maxbufferage> old, or on shutdown
+# Values: [ NUM ]
+#
+lines = 50
+
+# Option: minreportinterval
+# Notes.: Minimum period (in seconds) that must elapse before we submit another
+# batch of reports. DShield request a minimum of 1 hour (3600 secs)
+# between reports.
+# Values: [ NUM ]
+#
+minreportinterval = 3600
+
+# Option: maxbufferage
+# Notes.: Maximum age (in seconds) of the oldest report in the buffer before we
+# submit the batch, even if we haven't reached <lines> yet. Note that
+# this is only checked on each ban/unban, and that we always send
+# anything in the buffer on shutdown. Must be greater than
+# Values: [ NUM ]
+#
+maxbufferage = 21600
+
+# Option: srcport
+# Notes.: The source port of the attack. You're unlikely to have this info, so
+# you can leave the default
+# Values: [ NUM ]
+#
+srcport = ???
+
+# Option: tcpflags
+# Notes.: TCP flags on attack. You're unlikely to have this info, so you can
+# leave empty
+# Values: [ STRING ]
+#
+tcpflags =
+
+# Option: mailcmd
+# Notes.: Your system mail command. Is passed 2 args: subject and recipient
+# Values: CMD
+#
+mailcmd = mail -s
+
+# Option: mailargs
+# Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
+# CC reports to another address:
+# -c me@example.com
+# Appear to come from a different address (the From address must match
+# the one configured at DShield - the '--' indicates arguments to be
+# passed to Sendmail):
+# -- -f me@example.com
+# Values: [ STRING ]
+#
+mailargs =
+
+# Option: dest
+# Notes.: Destination e-mail address for reports
+# Values: [ STRING ]
+#
+dest = reports@dshield.org
+
+# Option: tmpfile
+# Notes.: Base name of temporary files used for buffering
+# Values: [ STRING ]
+#
+tmpfile = /var/run/fail2ban/tmp-dshield
+
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+#
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart = touch /var/run/fail2ban/fail2ban.dummy
+ printf %%b "<init>\n" >> /var/run/fail2ban/fail2ban.dummy
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = rm -f /var/run/fail2ban/fail2ban.dummy
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = printf %%b "+<ip>\n" >> /var/run/fail2ban/fail2ban.dummy
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban = printf %%b "-<ip>\n" >> /var/run/fail2ban/fail2ban.dummy
+
+[Init]
+
+init = 123
+
--- /dev/null
+# Fail2Ban action file for firewall-cmd/ipset
+#
+# This requires:
+# ipset (package: ipset)
+# firewall-cmd (package: firewalld)
+#
+# This is for ipset protocol 6 (and hopefully later) (ipset v6.14).
+# Use ipset -V to see the protocol and version.
+#
+# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
+#
+# If you are running on an older kernel you make need to patch in external
+# modules.
+
+[INCLUDES]
+
+before = iptables-blocktype.conf
+
+[Definition]
+
+actionstart = ipset create fail2ban-<name> hash:ip timeout <bantime>
+ firewall-cmd --direct --add-rule ipv4 filter <chain> 0 -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
+
+actionstop = firewall-cmd --direct --remove-rule ipv4 filter <chain> 0 -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
+ ipset flush fail2ban-<name>
+ ipset destroy fail2ban-<name>
+
+actionban = ipset add fail2ban-<name> <ip> timeout <bantime> -exist
+
+actionunban = ipset del fail2ban-<name> <ip> -exist
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
+# Option: port
+# Notes.: specifies port to monitor
+# Values: [ NUM | STRING ]
+#
+port = ssh
+
+# Option: protocol
+# Notes.: internally used by config reader for interpolations.
+# Values: [ tcp | udp | icmp | all ]
+#
+protocol = tcp
+
+# Option: chain
+# Notes specifies the iptables chain to which the fail2ban rules should be
+# added
+# Values: [ STRING ]
+#
+chain = INPUT_direct
+
+# Option: bantime
+# Notes: specifies the bantime in seconds (handled internally rather than by fail2ban)
+# Values: [ NUM ] Default: 600
+
+bantime = 600
+
+
+# DEV NOTES:
+#
+# Author: Edgar Hoch and Daniel Black
+# firewallcmd-new / iptables-ipset-proto6 combined for maximium goodness
--- /dev/null
+# Fail2Ban configuration file
+#
+# Because of the --remove-rules in stop this action requires firewalld-0.3.8+
+
+[INCLUDES]
+
+before = iptables-blocktype.conf
+
+[Definition]
+
+actionstart = firewall-cmd --direct --add-chain ipv4 filter fail2ban-<name>
+ firewall-cmd --direct --add-rule ipv4 filter fail2ban-<name> 1000 -j RETURN
+ firewall-cmd --direct --add-rule ipv4 filter <chain> 0 -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
+
+actionstop = firewall-cmd --direct --remove-rule ipv4 filter <chain> 0 -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
+ firewall-cmd --direct --remove-rules ipv4 filter fail2ban-<name>
+ firewall-cmd --direct --remove-chain ipv4 filter fail2ban-<name>
+
+actioncheck = firewall-cmd --direct --get-chains ipv4 filter | grep -q '^fail2ban-<name>$'
+
+actionban = firewall-cmd --direct --add-rule ipv4 filter fail2ban-<name> 0 -s <ip> -j <blocktype>
+
+actionunban = firewall-cmd --direct --remove-rule ipv4 filter fail2ban-<name> 0 -s <ip> -j <blocktype>
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
+# Option: port
+# Notes.: specifies port to monitor
+# Values: [ NUM | STRING ]
+#
+port = ssh
+
+# Option: protocol
+# Notes.: internally used by config reader for interpolations.
+# Values: [ tcp | udp | icmp | all ]
+#
+protocol = tcp
+
+# Option: chain
+# Notes specifies the iptables chain to which the fail2ban rules should be
+# added
+# Values: [ STRING ]
+#
+chain = INPUT_direct
+
+# DEV NOTES:
+#
+# Author: Edgar Hoch
+# Copied from iptables-new.conf and modified for use with firewalld by Edgar Hoch.
+# It uses "firewall-cmd" instead of "iptables".
+#
+# Output:
+#
+# $ firewall-cmd --direct --add-chain ipv4 filter fail2ban-name
+# success
+# $ firewall-cmd --direct --add-rule ipv4 filter fail2ban-name 1000 -j RETURN
+# success
+# $ sudo firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -m state --state NEW -p tcp --dport 22 -j fail2ban-name
+# success
+# $ firewall-cmd --direct --get-chains ipv4 filter
+# fail2ban-name
+# $ firewall-cmd --direct --get-chains ipv4 filter | od -h
+# 0000000 6166 6c69 6232 6e61 6e2d 6d61 0a65
+# $ firewall-cmd --direct --get-chains ipv4 filter | grep -Eq 'fail2ban-name( |$)' ; echo $?
+# 0
+# $ firewall-cmd -V
+# 0.3.8
+
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+# Edited for cross platform by: James Stout, Yaroslav Halchenko and Daniel Black
+#
+#
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart =
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop =
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = IP=<ip> &&
+ printf %%b "<daemon_list>: $IP\n" >> <file>
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban = echo "/^<daemon_list>: <ip>$/<br>d<br>w<br>q" | ed <file>
+
+[Init]
+
+# Option: file
+# Notes.: hosts.deny file path.
+# Values: STR Default: /etc/hosts.deny
+#
+file = /etc/hosts.deny
+
+# Option: daemon_list
+# Notes: The list of services that this action will deny. See the man page
+# for hosts.deny/hosts_access. Default is all services.
+# Values: STR Default: ALL
+daemon_list = ALL
--- /dev/null
+# Fail2Ban configuration file
+#
+# NetBSD ipfilter (ipf command) ban/unban
+#
+# Author: Ed Ravin <eravin@panix.com>
+#
+#
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+# enable IPF if not already enabled
+actionstart = /sbin/ipf -E
+
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+# don't disable IPF with "/sbin/ipf -D", there may be other filters in use
+actionstop =
+
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = echo block <blocktype> in quick from <ip>/32 | /sbin/ipf -f -
+
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+# note -r option used to remove matching rule
+actionunban = echo block <blocktype> in quick from <ip>/32 | /sbin/ipf -r -f -
+
+[Init]
+
+# Option: Blocktype
+# Notes : This is the return-icmp[return-code] mentioned in the ipf man page section 5. Keep this quoted to prevent
+# Shell expansion. This should be blank (unquoted) to drop the packet.
+# Values: STRING
+blocktype = "return-icmp(port-unr)"
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Nick Munger
+# Modified by: Cyril Jaquier
+#
+#
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart =
+
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop =
+
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = ipfw add <blocktype> tcp from <ip> to <localhost> <port>
+
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban = ipfw delete `ipfw list | grep -i "[^0-9]<ip>[^0-9]" | awk '{print $1;}'`
+
+[Init]
+
+# Option: port
+# Notes.: specifies port to monitor
+# Values: [ NUM | STRING ]
+#
+port = ssh
+
+# Option: localhost
+# Notes.: the local IP address of the network interface
+# Values: IP
+#
+localhost = 127.0.0.1
+
+
+# Option: blocktype
+# Notes.: How to block the traffic. Use a action from man 5 ipfw
+# Common values: deny, unreach port, reset
+# Values: STRING
+#
+blocktype = unreach port
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
+# made active on all ports from original iptables.conf
+#
+#
+
+[INCLUDES]
+
+before = iptables-blocktype.conf
+
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart = iptables -N fail2ban-<name>
+ iptables -A fail2ban-<name> -j RETURN
+ iptables -I <chain> -p <protocol> -j fail2ban-<name>
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>
+ iptables -F fail2ban-<name>
+ iptables -X fail2ban-<name>
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
+# Option: protocol
+# Notes.: internally used by config reader for interpolations.
+# Values: [ tcp | udp | icmp | all ] Default: tcp
+#
+protocol = tcp
+
+# Option: chain
+# Notes specifies the iptables chain to which the fail2ban rules should be
+# added
+# Values: STRING Default: INPUT
+chain = INPUT
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Daniel Black
+#
+# This is a included configuration file and includes the defination for the blocktype
+# used in all iptables based actions by default.
+#
+# The user can override the default in iptables-blocktype.local
+
+[INCLUDES]
+
+after = iptables-blocktype.local
+
+[Init]
+
+# Option: blocktype
+# Note: This is what the action does with rules. This can be any jump target
+# as per the iptables man page (section 8). Common values are DROP
+# REJECT, REJECT --reject-with icmp-port-unreachable
+# Values: STRING
+blocktype = REJECT --reject-with icmp-port-unreachable
+
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Daniel Black
+#
+# This is for ipset protocol 4 (ipset v4.2). If you have a later version
+# of ipset try to use the iptables-ipset-proto6.conf as it does some things
+# nicer.
+#
+# This requires the program ipset which is normally in package called ipset.
+#
+# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
+#
+# If you are running on an older kernel you make need to patch in external
+# modules. Debian squeeze can do this with:
+# apt-get install xtables-addons-source
+# module-assistant auto-install xtables-addons
+#
+# Debian wheezy and above uses protocol 6
+
+[INCLUDES]
+
+before = iptables-blocktype.conf
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart = ipset --create fail2ban-<name> iphash
+ iptables -I INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
+ ipset --flush fail2ban-<name>
+ ipset --destroy fail2ban-<name>
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = ipset --test fail2ban-<name> <ip> || ipset --add fail2ban-<name> <ip>
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban = ipset --test fail2ban-<name> <ip> && ipset --del fail2ban-<name> <ip>
+
+[Init]
+
+# Default name of the ipset
+#
+name = default
+
+# Option: port
+# Notes.: specifies port to monitor
+# Values: [ NUM | STRING ] Default: ssh
+#
+port = ssh
+
+# Option: protocol
+# Notes.: internally used by config reader for interpolations.
+# Values: [ tcp | udp | icmp | all ] Default: tcp
+#
+protocol = tcp
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Daniel Black
+#
+# This is for ipset protocol 6 (and hopefully later) (ipset v6.14).
+# Use ipset -V to see the protocol and version. Version 4 should use
+# iptables-ipset-proto4.conf.
+#
+# This requires the program ipset which is normally in package called ipset.
+#
+# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
+#
+# If you are running on an older kernel you make need to patch in external
+# modules which probably won't be protocol version 6.
+
+[INCLUDES]
+
+before = iptables-blocktype.conf
+
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart = ipset create fail2ban-<name> hash:ip timeout <bantime>
+ iptables -I INPUT -m set --match-set fail2ban-<name> src -j <blocktype>
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = iptables -D INPUT -m set --match-set fail2ban-<name> src -j <blocktype>
+ ipset flush fail2ban-<name>
+ ipset destroy fail2ban-<name>
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = ipset add fail2ban-<name> <ip> timeout <bantime> -exist
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban = ipset del fail2ban-<name> <ip> -exist
+
+[Init]
+
+# Default name of the ipset
+#
+name = default
+
+# Option: bantime
+# Notes: specifies the bantime in seconds (handled internally rather than by fail2ban)
+# Values: [ NUM ] Default: 600
+
+bantime = 600
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Daniel Black
+#
+# This is for ipset protocol 6 (and hopefully later) (ipset v6.14).
+# Use ipset -V to see the protocol and version. Version 4 should use
+# iptables-ipset-proto4.conf.
+#
+# This requires the program ipset which is normally in package called ipset.
+#
+# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
+#
+# If you are running on an older kernel you make need to patch in external
+# modules.
+
+[INCLUDES]
+
+before = iptables-blocktype.conf
+
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart = ipset create fail2ban-<name> hash:ip timeout <bantime>
+ iptables -I INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
+ ipset flush fail2ban-<name>
+ ipset destroy fail2ban-<name>
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = ipset add fail2ban-<name> <ip> timeout <bantime> -exist
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban = ipset del fail2ban-<name> <ip> -exist
+
+[Init]
+
+# Default name of the ipset
+#
+name = default
+
+# Option: port
+# Notes.: specifies port to monitor
+# Values: [ NUM | STRING ] Default: ssh
+#
+port = ssh
+
+# Option: protocol
+# Notes.: internally used by config reader for interpolations.
+# Values: [ tcp | udp | icmp | all ] Default: tcp
+#
+protocol = tcp
+
+# Option: bantime
+# Notes: specifies the bantime in seconds (handled internally rather than by fail2ban)
+# Values: [ NUM ] Default: 600
+
+bantime = 600
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Guido Bozzetto
+# Modified: Cyril Jaquier
+#
+# make "fail2ban-<name>" chain to match drop IP
+# make "fail2ban-<name>-log" chain to log and drop
+# insert a jump to fail2ban-<name> from -I <chain> if proto/port match
+#
+#
+
+[INCLUDES]
+
+before = iptables-blocktype.conf
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart = iptables -N fail2ban-<name>
+ iptables -A fail2ban-<name> -j RETURN
+ iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+ iptables -N fail2ban-<name>-log
+ iptables -I fail2ban-<name>-log -j LOG --log-prefix "$(expr fail2ban-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2
+ iptables -A fail2ban-<name>-log -j <blocktype>
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+ iptables -F fail2ban-<name>
+ iptables -F fail2ban-<name>-log
+ iptables -X fail2ban-<name>
+ iptables -X fail2ban-<name>-log
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck = iptables -n -L fail2ban-<name>-log >/dev/null
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = iptables -I fail2ban-<name> 1 -s <ip> -j fail2ban-<name>-log
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban = iptables -D fail2ban-<name> -s <ip> -j fail2ban-<name>-log
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
+# Option: port
+# Notes.: specifies port to monitor
+# Values: [ NUM | STRING ] Default:
+#
+port = ssh
+
+# Option: protocol
+# Notes.: internally used by config reader for interpolations.
+# Values: [ tcp | udp | icmp | all ] Default: tcp
+#
+protocol = tcp
+
+# Option: chain
+# Notes specifies the iptables chain to which the fail2ban rules should be
+# added
+# Values: STRING Default: INPUT
+chain = INPUT
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+# Modified by Yaroslav Halchenko for multiport banning
+#
+
+[INCLUDES]
+
+before = iptables-blocktype.conf
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart = iptables -N fail2ban-<name>
+ iptables -A fail2ban-<name> -j RETURN
+ iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+ iptables -F fail2ban-<name>
+ iptables -X fail2ban-<name>
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
+# Option: port
+# Notes.: specifies port to monitor
+# Values: [ NUM | STRING ] Default:
+#
+port = ssh
+
+# Option: protocol
+# Notes.: internally used by config reader for interpolations.
+# Values: [ tcp | udp | icmp | all ] Default: tcp
+#
+protocol = tcp
+
+# Option: chain
+# Notes specifies the iptables chain to which the fail2ban rules should be
+# added
+# Values: STRING Default: INPUT
+chain = INPUT
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+# Copied from iptables.conf and modified by Yaroslav Halchenko
+# to fulfill the needs of bugreporter dbts#350746.
+#
+#
+
+[INCLUDES]
+
+before = iptables-blocktype.conf
+
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart = iptables -N fail2ban-<name>
+ iptables -A fail2ban-<name> -j RETURN
+ iptables -I <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = iptables -D <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
+ iptables -F fail2ban-<name>
+ iptables -X fail2ban-<name>
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
+# Option: port
+# Notes.: specifies port to monitor
+# Values: [ NUM | STRING ] Default:
+#
+port = ssh
+
+# Option: protocol
+# Notes.: internally used by config reader for interpolations.
+# Values: [ tcp | udp | icmp | all ] Default: tcp
+#
+protocol = tcp
+
+# Option: chain
+# Notes specifies the iptables chain to which the fail2ban rules should be
+# added
+# Values: STRING Default: INPUT
+chain = INPUT
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
+#
+#
+
+[INCLUDES]
+
+before = iptables-blocktype.conf
+
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+# Changing iptables rules requires root privileges. If fail2ban is
+# configured to run as root, firewall setup can be performed by
+# fail2ban automatically. However, if fail2ban is configured to run as
+# a normal user, the configuration must be done by some other means
+# (e.g. using static firewall configuration with the
+# iptables-persistent package).
+#
+# Explanation of the rule below:
+# Check if any packets coming from an IP on the fail2ban-<name>
+# list have been seen in the last 3600 seconds. If yes, update the
+# timestamp for this IP and drop the packet. If not, let the packet
+# through.
+#
+# Fail2ban inserts blacklisted hosts into the fail2ban-<name> list
+# and removes them from the list after some time, according to its
+# own rules. The 3600 second timeout is independent and acts as a
+# safeguard in case the fail2ban process dies unexpectedly. The
+# shorter of the two timeouts actually matters.
+actionstart = if [ `id -u` -eq 0 ];then iptables -I INPUT -m recent --update --seconds 3600 --name fail2ban-<name> -j <blocktype>;fi
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = echo / > /proc/net/xt_recent/fail2ban-<name>
+ if [ `id -u` -eq 0 ];then iptables -D INPUT -m recent --update --seconds 3600 --name fail2ban-<name> -j <blocktype>;fi
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck = test -e /proc/net/xt_recent/fail2ban-<name>
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = echo +<ip> > /proc/net/xt_recent/fail2ban-<name>
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban = echo -<ip> > /proc/net/xt_recent/fail2ban-<name>
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
+# Option: protocol
+# Notes.: internally used by config reader for interpolations.
+# Values: [ tcp | udp | icmp | all ] Default: tcp
+#
+protocol = tcp
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+#
+
+[INCLUDES]
+
+before = iptables-blocktype.conf
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart = iptables -N fail2ban-<name>
+ iptables -A fail2ban-<name> -j RETURN
+ iptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name>
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name>
+ iptables -F fail2ban-<name>
+ iptables -X fail2ban-<name>
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
+# Option: port
+# Notes.: specifies port to monitor
+# Values: [ NUM | STRING ] Default:
+#
+port = ssh
+
+# Option: protocol
+# Notes.: internally used by config reader for interpolations.
+# Values: [ tcp | udp | icmp | all ] Default: tcp
+#
+protocol = tcp
+
+# Option: chain
+# Notes specifies the iptables chain to which the fail2ban rules should be
+# added
+# Values: STRING Default: INPUT
+chain = INPUT
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+#
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Output will be buffered until <lines> lines are available.\n
+ Regards,\n
+ Fail2Ban"|mail -s "[Fail2Ban] <name>: started on `uname -n`" <dest>
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = if [ -f <tmpfile> ]; then
+ printf %%b "Hi,\n
+ These hosts have been banned by Fail2Ban.\n
+ `cat <tmpfile>`
+ Regards,\n
+ Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from `uname -n`" <dest>
+ rm <tmpfile>
+ fi
+ printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+ Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on `uname -n`" <dest>
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
+ LINE=$( wc -l <tmpfile> | awk '{ print $1 }' )
+ if [ $LINE -ge <lines> ]; then
+ printf %%b "Hi,\n
+ These hosts have been banned by Fail2Ban.\n
+ `cat <tmpfile>`
+ \nRegards,\n
+ Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest>
+ rm <tmpfile>
+ fi
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban =
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
+# Default number of lines that are buffered
+#
+lines = 5
+
+# Default temporary file
+#
+tmpfile = /var/run/fail2ban/tmp-mail.txt
+
+# Destination/Addressee of the mail
+#
+dest = root
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+# Modified-By: Yaroslav Halchenko to include grepping on IP over log files
+#
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+ Fail2Ban"|mail -s "[Fail2Ban] <name>: started on `uname -n`" <dest>
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+ Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on `uname -n`" <dest>
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = printf %%b "Hi,\n
+ The IP <ip> has just been banned by Fail2Ban after
+ <failures> attempts against <name>.\n\n
+ Here is more information about <ip>:\n
+ `whois <ip> || echo missing whois program`\n\n
+ Lines containing IP:<ip> in <logpath>\n
+ `grep '[^0-9]<ip>[^0-9]' <logpath>`\n\n
+ Regards,\n
+ Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from `uname -n`" <dest>
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban =
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
+# Destinataire of the mail
+#
+dest = root
+
+# Path to the log files which contain relevant lines for the abuser IP
+#
+logpath = /dev/null
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+#
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+ Fail2Ban"|mail -s "[Fail2Ban] <name>: started on `uname -n`" <dest>
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+ Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on `uname -n`" <dest>
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = printf %%b "Hi,\n
+ The IP <ip> has just been banned by Fail2Ban after
+ <failures> attempts against <name>.\n\n
+ Here is more information about <ip>:\n
+ `whois <ip> || echo missing whois program`\n
+ Regards,\n
+ Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from `uname -n`" <dest>
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban =
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
+# Destination/Addressee of the mail
+#
+dest = root
+
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+#
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+ Fail2Ban"|mail -s "[Fail2Ban] <name>: started on `uname -n`" <dest>
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+ Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on `uname -n`" <dest>
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = printf %%b "Hi,\n
+ The IP <ip> has just been banned by Fail2Ban after
+ <failures> attempts against <name>.\n
+ Regards,\n
+ Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from `uname -n`" <dest>
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban =
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
+# Destination/Addressee of the mail
+#
+dest = root
+
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Russell Odom <russ@gloomytrousers.co.uk>
+# Submits attack reports to myNetWatchman (http://www.mynetwatchman.com/)
+#
+# You MUST configure at least:
+# <port> (the port that's being attacked - use number not name).
+# <mnwlogin> (your mNW login).
+# <mnwpass> (your mNW password).
+#
+# You SHOULD also provide:
+# <myip> (your public IP address, if it's not the address of eth0)
+# <protocol> (the protocol in use - defaults to tcp)
+#
+# Best practice is to provide <port> and <protocol> in jail.conf like this:
+# action = mynetwatchman[port=1234,protocol=udp]
+#
+# ...and create "mynetwatchman.local" with contents something like this:
+# [Init]
+# mnwlogin = me@example.com
+# mnwpass = SECRET
+# myip = 10.0.0.1
+#
+# Another useful configuration value is <getcmd>, if you don't have wget
+# installed (an example config for curl is given below)
+#
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart =
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop =
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+#
+# Note: We are currently using <time> for the timestamp because no tag is
+# available to indicate the timestamp of the log message(s) which triggered the
+# ban. Therefore the timestamps we are using in the report, whilst often only a
+# few seconds out, are incorrect. See
+# http://sourceforge.net/tracker/index.php?func=detail&aid=2017795&group_id=121032&atid=689047
+#
+actionban = MNWLOGIN=`perl -e '$s=shift;$s=~s/([\W])/"%%".uc(sprintf("%%2.2x",ord($1)))/eg;print $s' '<mnwlogin>'`
+ MNWPASS=`perl -e '$s=shift;$s=~s/([\W])/"%%".uc(sprintf("%%2.2x",ord($1)))/eg;print $s' '<mnwpass>'`
+ PROTOCOL=`awk '{IGNORECASE=1;if($1=="<protocol>"){print $2;exit}}' /etc/protocols`
+ if [ -z "$PROTOCOL" ]; then PROTOCOL=<protocol>; fi
+ DATETIME=`perl -e '@t=gmtime(<time>);printf "%%4d-%%02d-%%02d+%%02d:%%02d:%%02d",1900+$t[5],$t[4]+1,$t[3],$t[2],$t[1],$t[0]'`
+ <getcmd> "<mnwurl>?AT=2&AV=0&AgentEmail=$MNWLOGIN&AgentPassword=$MNWPASS&AttackerIP=<ip>&SrcPort=<srcport>&ProtocolID=$PROTOCOL&DestPort=<port>&AttackCount=<failures>&VictimIP=<myip>&AttackDateTime=$DATETIME" 2>&1 >> <tmpfile>.out && grep -q 'Attack Report Insert Successful' <tmpfile>.out && rm -f <tmpfile>.out
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban =
+
+[Init]
+# Option: port
+# Notes.: The target port for the attack (numerical). MUST be provided in
+# the jail config, as it cannot be detected here.
+# Values: [ NUM ] Default: ???
+#
+port = 0
+
+# Option: mnwlogin
+# Notes.: Your mNW login e-mail address. MUST be provided either in the jail
+# config or in a .local file.
+# Register at http://www.mynetwatchman.com/reg.asp
+# Values: [ STRING ] Default: (empty)
+#
+mnwlogin =
+
+# Option: mnwpass
+# Notes.: The password corresponding to your mNW login e-mail address. MUST be
+# provided either in the jail config or in a .local file.
+# Values: [ STRING ] Default: (empty)
+#
+mnwpass =
+
+# Option: myip
+# Notes.: The target IP for the attack (your public IP). Should be overridden
+# either in the jail config or in a .local file unless your PUBLIC IP
+# is the first IP assigned to eth0
+# Values: [ an IP address ] Default: Tries to find the IP address of eth0,
+# which in most cases will be a private IP, and therefore incorrect
+#
+myip = `ip -4 addr show dev eth0 | grep inet | head -n 1 | sed -r 's/.*inet ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*/\1/'`
+
+# Option: protocol
+# Notes.: The protocol over which the attack is happening
+# Values: [ tcp | udp | icmp | (any other protocol name from /etc/protocols) | NUM ] Default: tcp
+#
+protocol = tcp
+
+# Option: getcmd
+# Notes.: A command to fetch a URL. Should output page to STDOUT
+# Values: CMD Default: wget
+#
+getcmd = wget --no-verbose --tries=3 --waitretry=10 --connect-timeout=10 --read-timeout=60 --retry-connrefused --output-document=- --user-agent=Fail2Ban
+# Alternative value:
+# getcmd = curl --silent --show-error --retry 3 --connect-timeout 10 --max-time 60 --user-agent Fail2Ban
+
+# Option: srcport
+# Notes.: The source port of the attack. You're unlikely to have this info, so
+# you can leave the default
+# Values: [ NUM ] Default: 0
+#
+srcport = 0
+
+# Option: mnwurl
+# Notes.: The report service URL on the mNW site
+# Values: STRING Default: http://mynetwatchman.com/insertwebreport.asp
+#
+mnwurl = http://mynetwatchman.com/insertwebreport.asp
+
+# Option: tmpfile
+# Notes.: Base name of temporary files
+# Values: [ STRING ] Default: /var/run/fail2ban/tmp-mynetwatchman
+#
+tmpfile = /var/run/fail2ban/tmp-mynetwatchman
--- /dev/null
+# Fail2Ban configuration file for using afctl on Mac OS X Server 10.5
+#
+# Anonymous author
+# http://www.fail2ban.org/wiki/index.php?title=HOWTO_Mac_OS_X_Server_(10.5)&diff=prev&oldid=4081
+#
+# Ref: https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/afctl.8.html
+
+[Definition]
+actionstart =
+actionstop =
+actioncheck =
+actionban = /usr/libexec/afctl -a <ip> -t <bantime>
+actionunban = /usr/libexec/afctl -r <ip>
+
+[Init]
+bantime = 2880
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Nick Munger
+# Modified by: Andy Fragen and Daniel Black
+#
+# Mod for OS X, using random rulenum as OSX ipfw doesn't include tables
+#
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart =
+
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop =
+
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: <ip> IP address
+# Values: CMD
+#
+actionban = ipfw add <rulenum> set <setnum> <blocktype> log <block> from <ip> to <dst> <port>
+
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: <ip> IP address
+# Values: CMD
+#
+actionunban = ipfw delete `ipfw -S list | grep -i 'set <setnum> <blocktype> log <block> from <ip> to <dst>' | awk '{print $1;}'`
+
+[Init]
+
+# Option: port
+# Notes.: specifies port to block. Can be blank however may require block="ip"
+# Values: [ NUM | STRING ]
+#
+port = ssh
+
+# Option: dst
+# Notes.: the local IP address of the network interface
+# Values: IP, any, me or anything support by ipfw as a dst
+#
+dst = me
+
+# Option: block
+# Notes: This is how much to block.
+# Can be "ip", "tcp", "udp" or various other options.
+# Values: STRING
+block = tcp
+
+# Option: blocktype
+# Notes.: How to block the traffic. Use a action from man 8 ipfw
+# Common values: deny, unreach port, reset
+# Values: STRING
+#
+blocktype = unreach port
+
+# Option: set number
+# Notes.: The ipset number this is added to.
+# Values: 0-31
+setnum = 10
+
+# Option: number for ipfw rule
+# Notes: This is meant to be automatically generated and not overwritten
+# Values: Random value between 10000 and 12000
+rulenum="`echo $((RANDOM%%2000+10000))`"
+
+# Duplicate prevention mechanism
+#rulenum = "`a=$((RANDOM%%2000+10000)); while ipfw show | grep -q ^$a\ ; do a=$((RANDOM%%2000+10000)); done; echo $a`"
--- /dev/null
+# Fail2Ban configuration file
+#
+# OpenBSD pf ban/unban
+#
+# Author: Nick Hilliard <nick@foobar.org>
+#
+#
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+# we don't enable PF automatically, as it will be enabled elsewhere
+actionstart =
+
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+# we don't disable PF automatically either
+actionstop =
+
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: <ip> IP address
+# <failures> number of failures
+# <time> unix timestamp of the ban time
+# Values: CMD
+#
+actionban = /sbin/pfctl -t <tablename> -T add <ip>/32
+
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: <ip> IP address
+# <failures> number of failures
+# <time> unix timestamp of the ban time
+# Values: CMD
+#
+# note -r option used to remove matching rule
+actionunban = /sbin/pfctl -t <tablename> -T delete <ip>/32
+
+[Init]
+# Option: tablename
+# Notes.: The pf table name.
+# Values: [ STRING ]
+#
+tablename = fail2ban
+
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Michael Gebetsroither
+#
+# This is for blocking whole hosts through blackhole routes.
+#
+# PRO:
+# - Works on all kernel versions and as no compatibility problems (back to debian lenny and WAY further).
+# - It's FAST for very large numbers of blocked ips.
+# - It's FAST because it Blocks traffic before it enters common iptables chains used for filtering.
+# - It's per host, ideal as action against ssh password bruteforcing to block further attack attempts.
+# - No additional software required beside iproute/iproute2
+#
+# CON:
+# - Blocking is per IP and NOT per service, but ideal as action against ssh password bruteforcing hosts
+
+[Definition]
+actionban = ip route add <blocktype> <ip>
+actionunban = ip route del <blocktype> <ip>
+
+[Init]
+
+# Option: blocktype
+# Note: Type can be blackhole, unreachable and prohibit. Unreachable and prohibit correspond to the ICMP reject messages.
+# Values: STRING
+blocktype = unreachable
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+#
+
+[INCLUDES]
+
+before = sendmail-common.conf
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on `uname -n`
+ From: <sendername> <<sender>>
+ To: <dest>\n
+ Hi,\n
+ The jail <name> has been started successfully.\n
+ Output will be buffered until <lines> lines are available.\n
+ Regards,\n
+ Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = if [ -f <tmpfile> ]; then
+ printf %%b "Subject: [Fail2Ban] <name>: summary from `uname -n`
+ From: <sendername> <<sender>>
+ To: <dest>\n
+ Hi,\n
+ These hosts have been banned by Fail2Ban.\n
+ `cat <tmpfile>`
+ Regards,\n
+ Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+ rm <tmpfile>
+ fi
+ printf %%b "Subject: [Fail2Ban] <name>: stopped on `uname -n`
+ From: Fail2Ban <<sender>>
+ To: <dest>\n
+ Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+ Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
+ LINE=$( wc -l <tmpfile> | awk '{ print $1 }' )
+ if [ $LINE -ge <lines> ]; then
+ printf %%b "Subject: [Fail2Ban] <name>: summary from `uname -n`
+ From: <sendername> <<sender>>
+ To: <dest>\n
+ Hi,\n
+ These hosts have been banned by Fail2Ban.\n
+ `cat <tmpfile>`
+ Regards,\n
+ Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+ rm <tmpfile>
+ fi
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban =
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
+# Default number of lines that are buffered
+#
+lines = 5
+
+# Default temporary file
+#
+tmpfile = /var/run/fail2ban/tmp-mail.txt
+
--- /dev/null
+# Fail2Ban configuration file
+#
+# Common settings for sendmail actions
+#
+# Users can override the defaults in sendmail-common.local
+
+[INCLUDES]
+
+after = sendmail-common.local
+
+[Init]
+
+# Recipient mail address
+#
+dest = root
+
+# Sender mail address
+#
+sender = fail2ban
+
+# Sender display name
+#
+sendername = Fail2Ban
+
+# vim: filetype=dosini
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+#
+
+[INCLUDES]
+
+before = sendmail-common.conf
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on `uname -n`
+ Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
+ From: <sendername> <<sender>>
+ To: <dest>\n
+ Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+ Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped on `uname -n`
+ Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
+ From: <sendername> <<sender>>
+ To: <dest>\n
+ Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+ Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
+ Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
+ From: <sendername> <<sender>>
+ To: <dest>\n
+ Hi,\n
+ The IP <ip> has just been banned by Fail2Ban after
+ <failures> attempts against <name>.\n\n
+ Here is more information about <ip>:\n
+ `/usr/bin/whois <ip> || echo missing whois program`\n\n
+ Lines containing IP:<ip> in <logpath>\n
+ `grep '[^0-9]<ip>[^0-9]' <logpath>`\n\n
+ Regards,\n
+ Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban =
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
+# Path to the log files which contain relevant lines for the abuser IP
+#
+logpath = /dev/null
+
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+#
+
+[INCLUDES]
+
+before = sendmail-common.conf
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on `uname -n`
+ Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
+ From: <sendername> <<sender>>
+ To: <dest>\n
+ Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+ Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped on `uname -n`
+ Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
+ From: <sendername> <<sender>>
+ To: <dest>\n
+ Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+ Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
+ Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
+ From: <sendername> <<sender>>
+ To: <dest>\n
+ Hi,\n
+ The IP <ip> has just been banned by Fail2Ban after
+ <failures> attempts against <name>.\n\n
+ Here is more information about <ip>:\n
+ `/usr/bin/whois <ip> || echo missing whois program`\n
+ Regards,\n
+ Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban =
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
+
+# vim: filetype=dosini
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+#
+
+[INCLUDES]
+
+before = sendmail-common.conf
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on `uname -n`
+ Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
+ From: <sendername> <<sender>>
+ To: <dest>\n
+ Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+ Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped on `uname -n`
+ Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
+ From: <sendername> <<sender>>
+ To: <dest>\n
+ Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+ Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
+ Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
+ From: <sendername> <<sender>>
+ To: <dest>\n
+ Hi,\n
+ The IP <ip> has just been banned by Fail2Ban after
+ <failures> attempts against <name>.\n
+ Regards,\n
+ Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban =
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
+
+# vim: filetype=dosini
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+#
+# The default Shorewall configuration is with "BLACKLISTNEWONLY=Yes" (see
+# file /etc/shorewall/shorewall.conf). This means that when Fail2ban adds a
+# new shorewall rule to ban an IP address, that rule will affect only new
+# connections. So if the attempter goes on trying using the same connection
+# he could even log in. In order to get the same behavior of the iptable
+# action (so that the ban is immediate) the /etc/shorewall/shorewall.conf
+# file should me modified with "BLACKLISTNEWONLY=No".
+#
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart =
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop =
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = shorewall <blocktype> <ip>
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban = shorewall allow <ip>
+
+[Init]
+
+# Option: blocktype
+# Note: This is what the action does with rules.
+# See man page of shorewall for options that include drop, logdrop, reject, or logreject
+# Values: STRING
+blocktype = reject
--- /dev/null
+# Fail2Ban action configuration file for ufw
+#
+# You are required to run "ufw enable" before this will have an effect.
+#
+# The insert position should be approprate to block the required traffic.
+# A number after an allow rule to the application won't be much use.
+
+[Definition]
+
+actionstart =
+
+actionstop =
+
+actioncheck =
+
+actionban = [ -n "<application>" ] && app="app <application>" ; ufw insert <insertpos> <blocktype> from <ip> to <destination> $app
+
+actionunban = [ -n "<application>" ] && app="app <application>" ; ufw delete <blocktype> from <ip> to <destination> $app
+
+[Init]
+# Option: insertpos
+# Notes.: The postition number in the firewall list to insert the block rule
+insertpos = 1
+
+# Option: blocktype
+# Notes.: reject or deny
+blocktype = reject
+
+# Option: destination
+# Notes.: The destination address to block in the ufw rule
+destination = any
+
+# Option: application
+# Notes.: application from sudo ufw app list
+application =
+
+# DEV NOTES:
+#
+# Author: Guilhem Lettron
+# Enhancements: Daniel Black
--- /dev/null
+# Fail2Ban main configuration file
+#
+# Comments: use '#' for comment lines and ';' (following a space) for inline comments
+#
+# Changes: in most of the cases you should not modify this
+# file, but provide customizations in fail2ban.local file, e.g.:
+#
+# [Definition]
+# loglevel = 4
+#
+
+[Definition]
+
+# Option: loglevel
+# Notes.: Set the log level output.
+# 1 = ERROR
+# 2 = WARN
+# 3 = INFO
+# 4 = DEBUG
+# Values: [ NUM ] Default: 1
+#
+loglevel = 3
+
+# Option: logtarget
+# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
+# Only one log target can be specified.
+# If you change logtarget from the default value and you are
+# using logrotate -- also adjust or disable rotation in the
+# corresponding configuration file
+# (e.g. /etc/logrotate.d/fail2ban on Debian systems)
+# Values: [ STDOUT | STDERR | SYSLOG | FILE ] Default: STDERR
+#
+logtarget = /var/log/fail2ban.log
+
+# Option: socket
+# Notes.: Set the socket file. This is used to communicate with the daemon. Do
+# not remove this file when Fail2ban runs. It will not be possible to
+# communicate with the server afterwards.
+# Values: [ FILE ] Default: /var/run/fail2ban/fail2ban.sock
+#
+socket = /var/run/fail2ban/fail2ban.sock
+
+# Option: pidfile
+# Notes.: Set the PID file. This is used to store the process ID of the
+# fail2ban server.
+# Values: [ FILE ] Default: /var/run/fail2ban/fail2ban.pid
+#
+pidfile = /var/run/fail2ban/fail2ban.pid
+
+# vim: filetype=dosini
--- /dev/null
+# Fail2Ban filter for 3proxy
+#
+#
+
+[Definition]
+
+
+failregex = ^\s[+-]\d{4} \S+ \d{3}0[1-9] \S+ <HOST>:\d+ [\d.]+:\d+ \d+ \d+ \d+\s
+
+ignoreregex =
+
+# DEV Notes:
+# http://www.3proxy.ru/howtoe.asp#ERRORS indicates that 01-09 are
+# all authentication problems (%E field)
+# Log format is: "L%d-%m-%Y %H:%M:%S %z %N.%p %E %U %C:%c %R:%r %O %I %h %T"
+#
+# Requested by ykimon in https://github.com/fail2ban/fail2ban/issues/246
+# Author: Daniel Black
--- /dev/null
+# Fail2Ban apache-auth filter
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# apache-common.local
+before = apache-common.conf
+
+[Definition]
+
+
+failregex = ^%(_apache_error_client)s (AH01797: )?client denied by server configuration: (uri )?\S*(, referer: \S+)?\s*$
+ ^%(_apache_error_client)s (AH01617: )?user .*? authentication failure for "\S*": Password Mismatch(, referer: \S+)?$
+ ^%(_apache_error_client)s (AH01618: )?user .*? not found(: )?\S*(, referer: \S+)?\s*$
+ ^%(_apache_error_client)s (AH01614: )?client used wrong authentication scheme: \S*(, referer: \S+)?\s*$
+ ^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S* failed, reason: .*$
+ ^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*?: password mismatch: \S*(, referer: \S+)?\s*$
+ ^%(_apache_error_client)s (AH0179[01]: |Digest: )user `.*?' in realm `.+' (not found|denied by provider): \S*(, referer: \S+)?\s*$
+ ^%(_apache_error_client)s (AH01631: )?user .*?: authorization failure for "\S*":(, referer: \S+)?\s*$
+ ^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid nonce .* received - length is not \S+(, referer: \S+)?\s*$
+ ^%(_apache_error_client)s (AH01788: )?(Digest: )?realm mismatch - got `.*?' but expected `.+'(, referer: \S+)?\s*$
+ ^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm `.*?' received: \S*(, referer: \S+)?\s*$
+ ^%(_apache_error_client)s (AH01793: )?invalid qop `.*?' received: \S*(, referer: \S+)?\s*$
+ ^%(_apache_error_client)s (AH01777: )?(Digest: )?invalid nonce .*? received - user attempted time travel(, referer: \S+)?\s*$
+
+ignoreregex =
+
+# DEV Notes:
+#
+# This filter matches the authorization failures of Apache. It takes the log messages
+# from the modules in aaa that return HTTP_UNAUTHORIZED, HTTP_METHOD_NOT_ALLOWED or
+# HTTP_FORBIDDEN and not AUTH_GENERAL_ERROR or HTTP_INTERNAL_SERVER_ERROR.
+#
+# An unauthorized response 401 is the first step for a browser to instigate authentication
+# however apache doesn't log this as an error. Only subsequent errors are logged in the
+# error log.
+#
+# Source:
+#
+# By searching the code in http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/*
+# for ap_log_rerror(APLOG_MARK, APLOG_ERR and examining resulting return code should get
+# all of these expressions. Lots of submodules like mod_authz_* return back to mod_authz_core
+# to return the actual failure.
+#
+# See also: http://wiki.apache.org/httpd/ListOfErrors
+# Expressions that don't have tests and aren't common.
+# more be added with https://issues.apache.org/bugzilla/show_bug.cgi?id=55284
+# ^%(_apache_error_client)s (AH01778: )?user .*: nonce expired \([\d.]+ seconds old - max lifetime [\d.]+\) - sending new nonce\s*$
+# ^%(_apache_error_client)s (AH01779: )?user .*: one-time-nonce mismatch - sending new nonce\s*$
+# ^%(_apache_error_client)s (AH02486: )?realm mismatch - got `.*' but no realm specified\s*$
+#
+# referer is always in error log messages if it exists added as per the log_error_core function in server/log.c
+#
+# Author: Cyril Jaquier
+# Major edits by Daniel Black
--- /dev/null
+# Fail2Ban configuration file
+#
+# Regexp to catch known spambots and software alike. Please verify
+# that it is your intent to block IPs which were driven by
+# above mentioned bots.
+
+
+[Definition]
+
+badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider
+badbots = Atomic_Email_Hunter/4\.0|atSpider/1\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\.6|ContactBot/0\.2|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 +http\://letscrawl\.com/|Lincoln State Web Browser|LMQueueBot/0\.2|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|MVAClient|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/3\.0 \(compatible; scan4mail \(advanced version\) http\://www\.peterspages\.net/?scan4mail\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|NameOfAgent \(CMS Spider\)|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|ShablastBot 1\.0|snap\.com beta crawler v0|Snapbot/1\.0|Snapbot/1\.0 \(Snap Shots, +http\://www\.snap\.com\)|sogou develop spider|Sogou Orion spider/3\.0\(+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sogou spider|Sogou web spider/3\.0\(+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|VadixBot|WebVulnCrawl\.unknown/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00
+
+failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$
+
+ignoreregex =
+
+# DEV Notes:
+# List of bad bots fetched from http://www.user-agents.org
+# Generated on Thu Nov 7 14:23:35 PST 2013 by files/gen_badbots.
+#
+# Author: Yaroslav Halchenko
--- /dev/null
+# Generic configuration items (to be used as interpolations) in other
+# apache filters.
+
+[INCLUDES]
+
+# Load customizations if any available
+after = apache-common.local
+
+[DEFAULT]
+
+_apache_error_client = \[[^]]*\] \[(:?error|\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[client <HOST>(:\d{1,5})?\]
+
+# Common prefix for [error] apache messages which also would include <HOST>
+# Depending on the version it could be
+# 2.2: [Sat Jun 01 11:23:08 2013] [error] [client 1.2.3.4]
+# 2.4: [Thu Jun 27 11:55:44.569531 2013] [core:info] [pid 4101:tid 2992634688] [client 1.2.3.4:46652]
+# 2.4 (perfork): [Mon Dec 23 07:49:01.981912 2013] [:error] [pid 3790] [client 204.232.202.107:46301] script '/var/www/timthumb.php' not found or unable to
+#
+# Reference: https://github.com/fail2ban/fail2ban/issues/268
+#
+# Author: Yaroslav Halchenko
--- /dev/null
+# Fail2Ban apache-modsec filter
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# apache-common.local
+before = apache-common.conf
+
+[Definition]
+
+
+failregex = ^%(_apache_error_client)s ModSecurity: (\[.*?\] )*Access denied with code [45]\d\d.*$
+
+ignoreregex =
+
+# https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-2-Data-Formats
+# Author: Daniel Black
--- /dev/null
+# Fail2Ban filter to web requests for home directories on Apache servers
+#
+# Regex to match failures to find a home directory on a server, which
+# became popular last days. Most often attacker just uses IP instead of
+# domain name -- so expect to see them in generic error.log if you have
+# per-domain log files.
+
+[INCLUDES]
+
+# overwrite with apache-common.local if _apache_error_client is incorrect.
+before = apache-common.conf
+
+[Definition]
+
+
+failregex = ^%(_apache_error_client)s (AH00128: )?File does not exist: .*/~.*
+
+ignoreregex =
+
+# Author: Yaroslav O. Halchenko <debian@onerussian.com>
--- /dev/null
+# Fail2Ban filter to block web requests for scripts (on non scripted websites)
+#
+#
+
+[INCLUDES]
+
+# overwrite with apache-common.local if _apache_error_client is incorrect.
+before = apache-common.conf
+
+[Definition]
+
+failregex = ^%(_apache_error_client)s ((AH001(28|30): )?File does not exist|(AH01264: )?script not found or unable to stat): /\S*(php([45]|[.-]cgi)?|\.asp|\.exe|\.pl)(, referer: \S+)?\s*$
+ ^%(_apache_error_client)s script '/\S*(php([45]|[.-]cgi)?|\.asp|\.exe|\.pl)\S*' not found or unable to stat(, referer: \S+)?\s*$
+
+ignoreregex =
+
+
+# DEV Notes:
+#
+# https://wiki.apache.org/httpd/ListOfErrors for apache error IDs
+#
+# Second regex, script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$ is Before http-2.2
+#
+# Author: Cyril Jaquier
--- /dev/null
+# Fail2Ban filter to block web requests on a long or suspicious nature
+#
+
+[INCLUDES]
+
+# overwrite with apache-common.local if _apache_error_client is incorrect.
+before = apache-common.conf
+
+[Definition]
+
+failregex = ^%(_apache_error_client)s ((AH0013[456]: )?Invalid (method|URI) in request .*( - possible attempt to establish SSL connection on non-SSL port)?|(AH00565: )?request failed: URI too long \(longer than \d+\)|request failed: erroneous characters after protocol string: .*|AH00566: request failed: invalid characters in URI)(, referer: \S+)?$
+
+ignoreregex =
+
+# DEV Notes:
+#
+# fgrep -r 'URI too long' httpd-2.*
+# httpd-2.2.25/server/protocol.c: "request failed: URI too long (longer than %d)", r->server->limit_req_line);
+# httpd-2.4.4/server/protocol.c: "request failed: URI too long (longer than %d)",
+#
+# fgrep -r 'in request' ../httpd-2.* | fgrep Invalid
+# httpd-2.2.25/server/core.c: "Invalid URI in request %s", r->the_request);
+# httpd-2.2.25/server/core.c: "Invalid method in request %s", r->the_request);
+# httpd-2.2.25/docs/manual/rewrite/flags.html.fr:avertissements 'Invalid URI in request'.
+# httpd-2.4.4/server/core.c: "Invalid URI in request %s", r->the_request);
+# httpd-2.4.4/server/core.c: "Invalid method in request %s - possible attempt to establish SSL connection on non-SSL port", r->the_request);
+# httpd-2.4.4/server/core.c: "Invalid method in request %s", r->the_request);
+#
+# fgrep -r 'invalid characters in URI' httpd-2.*
+# httpd-2.4.4/server/protocol.c: "request failed: invalid characters in URI");
+#
+# http://svn.apache.org/viewvc/httpd/httpd/trunk/server/core.c?r1=739382&r2=739620&pathrev=739620
+# ...possible attempt to establish SSL connection on non-SSL port
+#
+# https://wiki.apache.org/httpd/ListOfErrors
+# Author: Tim Connors
--- /dev/null
+# Fail2Ban filter for Anti-Spam SMTP Proxy Server also known as ASSP
+#
+# Honmepage: http://www.magicvillage.de/~Fritz_Borgstedt/assp/0003D91C-8000001C/
+# ProjektSite: http://sourceforge.net/projects/assp/?source=directory
+#
+#
+
+[Definition]
+
+__assp_actions = (?:dropping|refusing)
+
+failregex = ^(:? \[SSL-out\])? <HOST> max sender authentication errors \(\d{,3}\) exceeded -- %(__assp_actions)s connection - after reply: \d{3} \d{1}\.\d{1}.\d{1} Error: authentication failed: \w+;$
+ ^(?: \[SSL-out\])? <HOST> SSL negotiation with client failed: SSL accept attempt failed with unknown error.*:unknown protocol;$
+ ^ Blocking <HOST> - too much AUTH errors \(\d{,3}\);$
+
+ignoreregex =
+
+# DEV Notes:
+#
+# Examples: Apr-27-13 02:33:09 Blocking 217.194.197.97 - too much AUTH errors (41);
+# Dec-29-12 17:10:31 [SSL-out] 200.247.87.82 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
+# Dec-30-12 04:01:47 [SSL-out] 81.82.232.66 max sender authentication errors (5) exceeded
+#
+# Author: Enrico Labedzki (enrico.labedzki@deiwos.de)
--- /dev/null
+# Fail2Ban filter for asterisk authentication failures
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = asterisk
+
+__pid_re = (?:\[\d+\])
+
+# All Asterisk log messages begin like this:
+log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)?
+
+failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
+ ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension not found in context 'default'\.$
+ ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
+ ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
+ ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
+ ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
+ ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S*$
+ ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d*",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
+ ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$
+
+ignoreregex =
+
+
+# Author: Xavier Devlamynck / Daniel Black
+#
+# General log format - main/logger.c:ast_log
+# Address format - ast_sockaddr_stringify
+#
+# First regex: channels/chan_sip.c
+#
+# main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in syslog
--- /dev/null
+# Generic configuration items (to be used as interpolations) in other
+# filters or actions configurations
+#
+
+[INCLUDES]
+
+# Load customizations if any available
+after = common.local
+
+
+[DEFAULT]
+
+# Daemon definition is to be specialized (if needed) in .conf file
+_daemon = \S*
+
+#
+# Shortcuts for easier comprehension of the failregex
+#
+# PID.
+# EXAMPLES: [123]
+__pid_re = (?:\[\d+\])
+
+# Daemon name (with optional source_file:line or whatever)
+# EXAMPLES: pam_rhosts_auth, [sshd], pop(pam_unix)
+__daemon_re = [\[\(]?%(_daemon)s(?:\(\S+\))?[\]\)]?:?
+
+# extra daemon info
+# EXAMPLE: [ID 800047 auth.info]
+__daemon_extra_re = (?:\[ID \d+ \S+\])
+
+# Combinations of daemon name and PID
+# EXAMPLES: sshd[31607], pop(pam_unix)[4920]
+__daemon_combs_re = (?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:?)
+
+# Some messages have a kernel prefix with a timestamp
+# EXAMPLES: kernel: [769570.846956]
+__kernel_prefix = kernel: \[ *\d+\.\d+\]
+
+__hostname = \S+
+
+# A MD5 hex
+# EXAMPLES: 07:06:27:55:b0:e3:0c:3c:5a:28:2d:7c:7e:4c:77:5f
+__md5hex = (?:[\da-f]{2}:){15}[\da-f]{2}
+
+# bsdverbose is where syslogd is started with -v or -vv and results in <4.3> or
+# <auth.info> appearing before the host as per testcases/files/logs/bsd/*.
+__bsd_syslog_verbose = (<[^.]+\.[^.]+>)
+
+# Common line prefixes (beginnings) which could be used in filters
+#
+# [bsdverbose]? [hostname] [vserver tag] daemon_id spaces
+#
+# This can be optional (for instance if we match named native log files)
+__prefix_line = \s*%(__bsd_syslog_verbose)s?\s*(?:%(__hostname)s )?(?:%(__kernel_prefix)s )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s%(__daemon_extra_re)s?\s*
+
+# Author: Yaroslav Halchenko
--- /dev/null
+# Fail2Ban filter for courier authentication failures
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = (?:courier)?(?:imapd?|pop3d?)(?:login)?(?:-ssl)?
+
+failregex = ^%(__prefix_line)sLOGIN FAILED, user=.*, ip=\[<HOST>\]$
+
+ignoreregex =
+
+# Author: Christoph Haas
+# Modified by: Cyril Jaquier
--- /dev/null
+# Fail2Ban filter to block relay attempts though a Courier smtp server
+#
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = courieresmtpd
+
+failregex = ^%(__prefix_line)serror,relay=<HOST>,.*: 550 User unknown\.$
+
+ignoreregex =
+
+# Author: Cyril Jaquier
--- /dev/null
+# Fail2Ban filter for authentication failures on Cyrus imap server
+#
+#
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = (?:cyrus/)?(?:imapd?|pop3d?)
+
+failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] \S+ .*?\[?SASL\(-13\): authentication failure: .*\]?$
+
+ignoreregex =
+
+# Author: Jan Wagner <waja@cyconet.org>
--- /dev/null
+# Fail2Ban filter Dovecot authentication and pop3/imap server
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = (auth|dovecot(-auth)?|auth-worker)
+
+failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
+ ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>(, lip=(\d{1,3}\.){3}\d{1,3})?(, TLS( handshaking(: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$
+ ^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
+
+ignoreregex =
+
+# DEV Notes:
+# * the first regex is essentially a copy of pam-generic.conf
+# * Probably doesn't do dovecot sql/ldap backends properly
+# * Removed the 'no auth attempts' log lines from the matches because produces
+# lots of false positives on misconfigured MTAs making regexp unuseable
+#
+# Author: Martin Waschbuesch
+# Daniel Black (rewrote with begin and end anchors)
--- /dev/null
+# Fail2Ban filter for dropbear
+#
+# NOTE: The regex below is ONLY intended to work with a patched
+# version of Dropbear as described here:
+# http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches
+# ^%(__prefix_line)sexit before auth from <HOST>.*\s*$
+#
+# The standard Dropbear output doesn't provide enough information to
+# ban all types of attack. The Dropbear patch adds IP address
+# information to the 'exit before auth' message which is always
+# produced for any form of non-successful login. It is that message
+# which this file matches.
+#
+# More information: http://bugs.debian.org/546913
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = dropbear
+
+failregex = ^%(__prefix_line)s[Ll]ogin attempt for nonexistent user ('.*' )?from <HOST>:\d+$
+ ^%(__prefix_line)s[Bb]ad (PAM )?password attempt for .+ from <HOST>(:\d+)?$
+ ^%(__prefix_line)s[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from <HOST>:\d+\s*$
+
+ignoreregex =
+
+# DEV Notes:
+#
+# The first two regexs here match the unmodified dropbear messages. It isn't
+# possible to match the source of the 'exit before auth' messages from dropbear
+# as they don't include the "from <HOST>" bit.
+#
+# The second last failregex line we need to match with the modified dropbear.
+#
+# For the second regex the following apply:
+#
+# http://www.netmite.com/android/mydroid/external/dropbear/svr-authpam.c
+# http://svn.dd-wrt.com/changeset/16642#file64
+#
+# http://svn.dd-wrt.com/changeset/16642/src/router/dropbear/svr-authpasswd.c
+#
+# Author: Francis Russell
+# Zak B. Elep
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Steven Hiscocks
+#
+#
+
+[Definition]
+
+# Option: failregex
+# Notes.: regex to match the password failures messages in the logfile. The
+# host must be matched by a group named "host". The tag "<HOST>" can
+# be used for standard IP/hostname matching and is only an alias for
+# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Multiline regexs should use tag "<SKIPLINES>" to separate lines.
+# This allows lines between the matching lines to continue to be
+# searched for other failures. This tag can be used multiple times.
+# Values: TEXT
+#
+failregex = ^(?:\.\d+)? \[info\] <0\.\d+\.\d>@ejabberd_c2s:wait_for_feature_request:\d+ \([^\)]+\) Failed authentication for \S+ from IP <HOST>$
--- /dev/null
+# Fail2Ban filter file for common exim expressions
+#
+# This is to be used by other exim filters
+
+[INCLUDES]
+
+# Load customizations if any available
+after = exim-common.local
+
+[Definition]
+
+host_info = H=([\w.-]+ )?(\(\S+\) )?\[<HOST>\](:\d+)? (I=\[\S+\]:\d+ )?(U=\S+ )?(P=e?smtp )?
+pid = ( \[\d+\])?
+
+# DEV Notes:
+# From exim source code: ./src/receive.c:add_host_info_for_log
+#
+# Author: Daniel Black
--- /dev/null
+# Fail2Ban filter for exim the spam rejection messages
+#
+## For the SA: Action: silently tossed message... to be logged exim's SAdevnull option needs to be used.
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# exim-common.local
+before = exim-common.conf
+
+[Definition]
+
+failregex = ^%(pid)s \S+ F=(<>|\S+@\S+) %(host_info)srejected by local_scan\(\): .{0,256}$
+ ^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: .*dnsbl.*\s*$
+ ^%(pid)s \S+ %(host_info)sF=(<>|[^@]+@\S+) rejected after DATA: This message contains a virus \(\S+\)\.\s*$
+ ^%(pid)s \S+ SA: Action: silently tossed message: score=\d+\.\d+ required=\d+\.\d+ trigger=\d+\.\d+ \(scanned in \d+/\d+ secs \| Message-Id: \S+\)\. From \S+ \(host=(\S+ )?\[<HOST>\]\) for \S+$
+
+ignoreregex =
+
+# DEV Notes:
+# The %(host_info) defination contains a <HOST> match
+#
+# Author: Cyril Jaquier
+# Daniel Black (rewrote with strong regexs)
--- /dev/null
+# Fail2Ban filter for exim
+#
+# This includes the rejection messages of exim. For spam and filter
+# related bans use the exim-spam.conf
+#
+
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# exim-common.local
+before = exim-common.conf
+
+[Definition]
+
+failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
+ ^%(pid)s \w+ authenticator failed for (\S+ )?\(\S+\) \[<HOST>\]: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
+ ^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$
+ ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$
+ ^%(pid)s SMTP call from \S+ \[<HOST>\](:\d+)? (I=\[\S+\]:\d+ )?dropped: too many nonmail commands \(last was "\S+"\)\s*$
+
+ignoreregex =
+
+# DEV Notes:
+# The %(host_info) defination contains a <HOST> match
+#
+# SMTP protocol synchronization error \([^)]*\) <- This needs to be non-greedy
+# to void capture beyond ")" to avoid a DoS Injection vulnerabilty as input= is
+# user injectable data.
+#
+# Author: Cyril Jaquier
+# Daniel Black (rewrote with strong regexs)
--- /dev/null
+# Fail2Ban configuration file
+#
+# Enable "log-auth-failures" on each Sofia profile to monitor
+# <param name="log-auth-failures" value="true"/>
+# -- this requires a high enough loglevel on your logs to save these messages.
+#
+# In the fail2ban jail.local file for this filter set ignoreip to the internal
+# IP addresses on your LAN.
+#
+
+[Definition]
+
+failregex = ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ SIP auth (failure|challenge) \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>$
+ ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ Can't find user \[\d+@\d+\.\d+\.\d+\.\d+\] from <HOST>$
+
+ignoreregex =
+
+# Author: Rupa SChomaker, soapee01, Daniel Black
+# http://wiki.freeswitch.org/wiki/Fail2ban
+# Thanks to Jim on mailing list of samples and guidance
+#
+# No need to match the following. Its a duplicate of the SIP auth regex.
+# ^\.\d+ \[DEBUG\] sofia\.c:\d+ IP <HOST> Rejected by acl "\S+"\. Falling back to Digest auth\.$
--- /dev/null
+# Fail2Ban filter for Group-Office
+#
+# Enable logging with:
+# $config['info_log']='/home/groupoffice/log/info.log';
+#
+
+[Definition]
+
+failregex = ^\[\]LOGIN FAILED for user: "\S+" from IP: <HOST>$
+
+
+
+# Author: Daniel Black
+
--- /dev/null
+# Fail2Ban filter file for gssftp
+#
+# Note: gssftp is part of the krb5-appl-servers in Fedora
+#
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = ftpd
+
+failregex = ^%(__prefix_line)srepeated login failures from <HOST> \(\S+\)$
+
+ignoreregex =
+
+# Author: Kevin Zembower
+# Edited: Daniel Black - syslog based daemon
--- /dev/null
+# fail2ban filter configuration for horde
+
+
+[Definition]
+
+
+failregex = ^ HORDE \[error\] \[(horde|imp)\] FAILED LOGIN for \S+ \[<HOST>\](\(forwarded for \[\S+\]\))? to (Horde|{[^}]+}) \[(pid \d+ )?on line \d+ of \S+\]$
+
+
+ignoreregex =
+
+# DEV NOTES:
+# https://github.com/horde/horde/blob/master/imp/lib/Auth.php#L132
+# https://github.com/horde/horde/blob/master/horde/login.php
+#
+# Author: Daniel Black
--- /dev/null
+# Fail2Ban filter to match wrong passwords as notified by lighttpd's auth Module
+#
+
+[Definition]
+
+failregex = ^: \(http_auth\.c\.\d+\) (password doesn\'t match .* username: .*|digest: auth failed for .*: wrong password|get_password failed), IP: <HOST>\s*$
+
+ignoreregex =
+
+# Author: Francois Boulogne <fboulogne@april.org>
--- /dev/null
+# Fail2Ban filter for unsuccesfull MySQL authentication attempts
+#
+#
+# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld]:
+# log-error=/var/log/mysqld.log
+# log-warning = 2
+#
+# If using mysql syslog [mysql_safe] has syslog in /etc/my.cnf
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = mysqld
+
+failregex = ^%(__prefix_line)s(\d{6} \s?\d{1,2}:\d{2}:\d{2} )?\[Warning\] Access denied for user '\w+'@'<HOST>' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$
+
+ignoreregex =
+
+# DEV Notes:
+#
+# Technically __prefix_line can equate to an empty string hence it can support
+# syslog and non-syslog at once.
+# Example:
+# 130322 11:26:54 [Warning] Access denied for user 'root'@'127.0.0.1' (using password: YES)
+#
+# Authors: Artur Penttinen
+# Yaroslav O. Halchenko
--- /dev/null
+# Fail2Ban filter for Nagios Remote Plugin Executor (nrpe2)
+# Detecting unauthorized access to the nrpe2 daemon
+# typically logged in /var/log/messages syslog
+#
+
+[INCLUDES]
+# Read syslog common prefixes
+before = common.conf
+
+[Definition]
+_daemon = nrpe
+failregex = ^%(__prefix_line)sHost <HOST> is not allowed to talk to us!\s*$
+ignoreregex =
+
+# DEV Notes:
+#
+# Author: Ivo Truxa - 2014/02/03
--- /dev/null
+# Fail2Ban filter file for named (bind9).
+#
+
+# This filter blocks attacks against named (bind9) however it requires special
+# configuration on bind.
+#
+# By default, logging is off with bind9 installation.
+#
+# You will need something like this in your named.conf to provide proper logging.
+#
+# logging {
+# channel security_file {
+# file "/var/log/named/security.log" versions 3 size 30m;
+# severity dynamic;
+# print-time yes;
+# };
+# category security {
+# security_file;
+# };
+# };
+
+[Definition]
+
+# Daemon name
+_daemon=named
+
+# Shortcuts for easier comprehension of the failregex
+
+__pid_re=(?:\[\d+\])
+__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
+__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
+
+# hostname daemon_id spaces
+# this can be optional (for instance if we match named native log files)
+__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
+
+failregex = ^%(__line_prefix)s(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$
+ ^%(__line_prefix)s(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: zone transfer '\S+/AXFR/\w+' denied\s*$
+ ^%(__line_prefix)s(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$
+
+# DEV Notes:
+# Trying to generalize the
+# structure which is general to capture general patterns in log
+# lines to cover different configurations/distributions
+#
+# (\.\d+)? is a really ugly catch of the microseconds not captured in the date detector
+#
+# Author: Yaroslav Halchenko
--- /dev/null
+# fail2ban filter configuration for nginx
+
+
+[Definition]
+
+
+failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$
+
+ignoreregex =
+
+# DEV NOTES:
+# Based on samples in https://github.com/fail2ban/fail2ban/pull/43/files
+# Extensive search of all nginx auth failures not done yet.
+#
+# Author: Daniel Black
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Bas van den Dikkenberg
+#
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+
+[Definition]
+
+_daemon = nsd
+
+# Option: failregex
+# Notes.: regex to match the password failures messages in the logfile. The
+# host must be matched by a group named "host". The tag "<HOST>" can
+# be used for standard IP/hostname matching and is only an alias for
+# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values: TEXT
+
+failregex = ^\[\]%(__prefix_line)sinfo: ratelimit block .* query <HOST> TYPE255$
+ ^\[\]%(__prefix_line)sinfo: .* <HOST> refused, no acl matches\.$
--- /dev/null
+# Fail2Ban filter for Openwebmail
+# banning hosts with authentication errors in /var/log/openwebmail.log
+# OpenWebMail http://openwebmail.org
+#
+
+[Definition]
+
+failregex = ^ - \[\d+\] \(<HOST>\) (?P<USER>\S+) - login error - (no such user - loginname=(?P=USER)|auth_unix.pl, ret -4, Password incorrect)$
+ ^ - \[\d+\] \(<HOST>\) (?P<USER>\S+) - userinfo error - auth_unix.pl, ret -4, User (?P=USER) doesn't exist$
+
+ignoreregex =
+
+# DEV Notes:
+#
+# Author: Ivo Truxa (c) 2013 truXoft.com
--- /dev/null
+# Fail2Ban configuration file for generic PAM authentication errors
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+# if you want to catch only login errors from specific daemons, use something like
+#_ttys_re=(?:ssh|pure-ftpd|ftp)
+#
+# Default: catch all failed logins
+_ttys_re=\S*
+
+__pam_re=\(?pam_unix(?:\(\S+\))?\)?:?
+_daemon = \S+
+
+failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
+
+ignoreregex =
+
+# DEV Notes:
+#
+# for linux-pam before 0.99.2.0 (late 2005) (removed before 0.8.11 release)
+# _daemon = \S*\(?pam_unix\)?
+# failregex = ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
+#
+# Author: Yaroslav Halchenko
--- /dev/null
+# Fail2Ban filter for perdition
+#
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon=perdition.\S+
+
+failregex = ^%(__prefix_line)sAuth: <HOST>:\d+->(\d{1,3}\.){3}\d{1,3}:\d+ client-secure=\S+ authorisation_id=NONE authentication_id=".+" server="\S+" protocol=\S+ server-secure=\S+ status="failed: (local authentication failure|Re-Authentication Failure)"$
+ ^%(__prefix_line)sFatal Error reading authentication information from client <HOST>:\d+->(\d{1,3}\.){3}\d{1,3}:\d+: Exiting child$
+
+ignoreregex =
+
+# Author: Christophe Carles and Daniel Black
--- /dev/null
+# Fail2Ban filter for URLs with a URL as a script parameters
+# which can be an indication of a fopen url php injection
+#
+# Example of web requests in Apache access log:
+# 66.185.212.172 - - [26/Mar/2009:08:44:20 -0500] "GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza.htm? HTTP/1.1" 200 114 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
+
+[Definition]
+
+failregex = ^<HOST> -.*"(GET|POST).*\?.*\=http\:\/\/.* HTTP\/.*$
+
+ignoreregex =
+
+# DEV Notes:
+#
+# Version 2
+# fixes the failregex so REFERERS that contain =http:// don't get blocked
+# (mentioned by "fasuto" (no real email provided... blog comment) in this entry:
+# http://blogs.buanzo.com.ar/2009/04/fail2ban-filter-for-php-injection-attacks.html#comment-1489
+#
+# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
--- /dev/null
+# Fail2Ban filter for postfix authentication failures
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = postfix/smtpd
+
+failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
+
+# Author: Yaroslav Halchenko
--- /dev/null
+# Fail2Ban filter for selected Postfix SMTP rejections
+#
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = postfix/smtpd
+
+failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
+ ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
+ ^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$
+ ^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$
+
+ignoreregex =
+
+# Author: Cyril Jaquier
--- /dev/null
+# Fail2Ban fitler for the Proftpd FTP daemon
+#
+# Set "UseReverseDNS off" in proftpd.conf to avoid the need for DNS.
+# See: http://www.proftpd.org/docs/howto/DNS.html
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = proftpd
+
+__suffix_failed_login = (User not authorized for login|No such user found|Incorrect password|Password expired|Account disabled|Invalid shell: '\S+'|User in \S+|Limit (access|configuration) denies login|Not a UserAlias|maximum login length exceeded).?
+
+failregex = ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ USER .*: no such user found from \S+ \[\S+\] to \S+:\S+ *$
+ ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ USER .* \(Login failed\): %(__suffix_failed_login)s\s*$
+ ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: .* login attempted\. *$
+ ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded *$
+
+ignoreregex =
+
+# Author: Yaroslav Halchenko
+# Daniel Black - hardening of regex
--- /dev/null
+# Fail2Ban filter for pureftp
+#
+# Disable hostname based logging by:
+#
+# Start pure-ftpd with the -H switch or on Ubuntu 'echo yes > /etc/pure-ftpd/conf/DontResolve'
+#
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = pure-ftpd
+
+# Error message specified in multiple languages
+__errmsg = (?:�ϥΪ�\[.*\]���ҥ���|ʹ����\[.*\]��֤ʧ��|\[.*\] kullan�c�s� i�in giri� hatal�|����������� �� ������� ������������ \[.*\]|Godkjennelse mislyktes for \[.*\]|Beh�righetskontroll misslyckas f�r anv�ndare \[.*\]|Autentifikacia uzivatela zlyhala \[.*\]|Autentificare esuata pentru utilizatorul \[.*\]|Autentica��o falhou para usu�rio \[.*\]|Autentyfikacja nie powiod�a si� dla u�ytkownika \[.*\]|Autorisatie faalde voor gebruiker \[.*\]|\[.*\] ��� ���� ����|Autenticazione falita per l'utente \[.*\]|Azonos�t�s sikertelen \[.*\] felhaszn�l�nak|\[.*\] c'est un batard, il connait pas son code|Erreur d'authentification pour l'utilisateur \[.*\]|Autentificaci�n fallida para el usuario \[.*\]|Authentication failed for user \[.*\]|Authentifizierung fehlgeschlagen f�r Benutzer \[.*\].|Godkendelse mislykkedes for \[.*\]|Autentifikace u�ivatele selhala \[.*\])
+
+failregex = ^%(__prefix_line)s\(.+?@<HOST>\) \[WARNING\] %(__errmsg)s\s*$
+
+ignoreregex =
+
+# Author: Cyril Jaquier
+# Modified: Yaroslav Halchenko for pure-ftpd
+# Documentation thanks to Blake on http://www.fail2ban.org/wiki/index.php?title=Fail2ban:Community_Portal
+#
+# Only logs to syslog though facility can be changed configuration file/command line
+#
+# fgrep -r MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src
--- /dev/null
+# Fail2Ban filters for qmail RBL patches/fake proxies
+#
+# the default djb RBL implementation doesn't log any rejections
+# so is useless with this filter.
+#
+# One patch is here:
+#
+# http://www.tjsi.com/rblsmtpd/faq/ patch to rblsmtpd
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = (?:qmail|rblsmtpd)
+
+failregex = ^%(__prefix_line)s\d+\.\d+ rblsmtpd: <HOST> pid \d+ \S+ 4\d\d \S+\s*$
+ ^%(__prefix_line)s\d+\.\d+ qmail-smtpd: 4\d\d badiprbl: ip <HOST> rbl: \S+\s*$
+ ^%(__prefix_line)s\S+ blocked <HOST> \S+ -\s*$
+
+ignoreregex =
+
+# DEV Notes:
+#
+# These seem to be for two or 3 different patches to qmail or rblsmtpd
+# so you'll probably only ever see one of these regex's that match.
+#
+# ref: https://github.com/fail2ban/fail2ban/pull/386
+#
+# Author: Daniel Black
--- /dev/null
+# Fail2Ban filter for repeat bans
+#
+# This filter monitors the fail2ban log file, and enables you to add long
+# time bans for ip addresses that get banned by fail2ban multiple times.
+#
+# Reasons to use this: block very persistent attackers for a longer time,
+# stop receiving email notifications about the same attacker over and
+# over again.
+#
+# This jail is only useful if you set the 'findtime' and 'bantime' parameters
+# in jail.conf to a higher value than the other jails. Also, this jail has its
+# drawbacks, namely in that it works only with iptables, or if you use a
+# different blocking mechanism for this jail versus others (e.g. hostsdeny
+# for most jails, and shorewall for this one).
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = fail2ban\.actions
+
+# The name of the jail that this filter is used for. In jail.conf, name the
+# jail using this filter 'recidive', or change this line!
+_jailname = recidive
+
+failregex = ^(%(__prefix_line)s|,\d{3} fail2ban.actions%(__pid_re)s?:\s+)WARNING\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$
+
+# Author: Tom Hendrikx, modifications by Amir Caspi
--- /dev/null
+# Fail2Ban configuration file for roundcube web server
+#
+#
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+failregex = ^\s*(\[(\s[+-][0-9]{4})?\])?(%(__hostname)s roundcube: IMAP Error)?: (FAILED login|Login failed) for .*? from <HOST>(\. .* in .*?/rcube_imap\.php on line \d+ \(\S+ \S+\))?$
+
+ignoreregex =
+# DEV Notes:
+#
+# Source: https://github.com/roundcube/roundcubemail/blob/master/program/lib/Roundcube/rcube_imap.php#L180
+#
+# Part after <HOST> comes straight from IMAP server up until the " in ....."
+# Earlier versions didn't log the IMAP response hence optional.
+#
+# DoS resistance:
+#
+# Assume that the user can inject "from <HOST>" into the imap response
+# somehow. Write test cases around this to ensure that the combination of
+# arbitrary user input and IMAP response doesn't inject the wrong IP for
+# fail2ban
+#
+# Author: Teodor Micu & Yaroslav Halchenko & terence namusonge & Daniel Black
--- /dev/null
+# Fail2Ban configuration file for generic SELinux audit messages
+#
+# This file is not intended to be used directly, and should be included into a
+# filter file which would define following variables. See selinux-ssh.conf as
+# and example.
+#
+# _type
+# _uid
+# _auid
+# _subj
+# _msg
+#
+# Also one of these variables must include <HOST>.
+
+[Definition]
+
+failregex = ^type=%(_type)s msg=audit\(:\d+\): (user )?pid=\d+ uid=%(_uid)s auid=%(_auid)s ses=\d+ subj=%(_subj)s msg='%(_msg)s'$
+
+ignoreregex =
+
+# Author: Daniel Black
--- /dev/null
+# Fail2Ban configuration file for SELinux ssh authentication errors
+#
+
+[INCLUDES]
+
+after = selinux-common.conf
+
+[Definition]
+
+_type = USER_(ERR|AUTH)
+_uid = 0
+_auid = \d+
+_subj = (?:unconfined_u|system_u):system_r:sshd_t:s0-s0:c0\.c1023
+
+_exe =/usr/sbin/sshd
+_terminal = ssh
+
+_msg = op=\S+ acct=(?P<_quote_acct>"?)\S+(?P=_quote_acct) exe="%(_exe)s" hostname=(\?|(\d+\.){3}\d+) addr=<HOST> terminal=%(_terminal)s res=failed
+
+# DEV Notes:
+#
+# Note: USER_LOGIN is ignored as this is the duplicate messsage
+# ssh logs after 3 USER_AUTH failures.
+#
+# Author: Daniel Black
--- /dev/null
+# Fail2Ban filter for sendmail authentication failures
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = (?:sm-(mta|acceptingconnections))
+
+failregex = ^%(__prefix_line)s\w{14}: (\S+ )?\[<HOST>\]( \(may be forged\))?: possible SMTP attack: command=AUTH, count=\d+$
+
+ignoreregex =
+
+# DEV Notes:
+#
+# Author: Daniel Black
--- /dev/null
+# Fail2Ban filter for sendmail spam/relay type failures
+#
+# Some of the below failregex will only work properly, when the following
+# options are set in the .mc file (see your Sendmail documentation on how
+# to modify it and generate the corresponding .cf file):
+#
+# FEATURE(`delay_checks')
+# FEATURE(`greet_pause', `500')
+# FEATURE(`ratecontrol', `nodelay', `terminate')
+# FEATURE(`conncontrol', `nodelay', `terminate')
+#
+# ratecontrol and conncontrol also need corresponding options ClientRate:
+# and ClientConn: in the access file, see documentation for ratecontrol and
+# conncontrol in the sendmail/cf/README file.
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = (?:sm-(mta|acceptingconnections))
+
+failregex = ^%(__prefix_line)s\w{14}: ruleset=check_rcpt, arg1=(?P<email><\S+@\S+>), relay=(\S+ )?\[<HOST>\]( \(may be forged\))?, reject=(550 5\.7\.1 (?P=email)\.\.\. Relaying denied\. (IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.|IP name lookup failed \[(\d+\.){3}\d+\])|553 5\.1\.8 (?P=email)\.\.\. Domain of sender address \S+ does not exist|550 5\.[71]\.1 (?P=email)\.\.\. (Rejected: .*|User unknown))$
+ ^%(__prefix_line)sruleset=check_relay, arg1=(?P<dom>\S+), arg2=<HOST>, relay=((?P=dom) )?\[(\d+\.){3}\d+\]( \(may be forged\))?, reject=421 4\.3\.2 (Connection rate limit exceeded\.|Too many open connections\.)$
+ ^%(__prefix_line)s\w{14}: rejecting commands from (\S+ )?\[<HOST>\] due to pre-greeting traffic after \d+ seconds$
+ ^%(__prefix_line)s\w{14}: (\S+ )?\[<HOST>\]: ((?i)expn|vrfy) \S+ \[rejected\]$
+
+
+ignoreregex =
+
+# DEV Notes:
+#
+# Author: Daniel Black and Fabian Wenk
--- /dev/null
+# Fail2Ban filter for sieve authentication failures
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_deamon = (?:cyrus/)?(?:tim)?sieved?
+
+failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] \S+ authentication failure$
+
+ignoreregex =
+
+# Author: Jan Wagner <waja@cyconet.org>
--- /dev/null
+# Fail2ban filter for SOGo authentcation
+#
+# Log file usually in /var/log/sogo/sogo.log
+
+[Definition]
+
+failregex = ^ sogod \[\d+\]: SOGoRootPage Login from '<HOST>' for user '.*' might not have worked( - password policy: \d* grace: -?\d* expire: -?\d* bound: -?\d*)?\s*$
+
+ignoreregex =
+
+#
+# DEV Notes:
+#
+# The error log may contain multiple hosts, whereas the first one
+# is the client and all others are poxys. We match the first one, only
+#
+# Author: Arnd Brandes
--- /dev/null
+# Fail2Ban filter for unsuccesful solid-pop3 authentication attempts
+#
+# Doesn't currently provide PAM support as PAM log messages don't include rhost as
+# remote IP.
+#
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = solid-pop3d
+
+failregex = ^%(__prefix_line)sauthentication failed: (no such user|can't map user name): .*? - <HOST>$
+ ^%(__prefix_line)s(APOP )?authentication failed for (mapped )?user .*? - <HOST>$
+ ^%(__prefix_line)sroot login not allowed - <HOST>$
+ ^%(__prefix_line)scan't find APOP secret for user .*? - <HOST>$
+
+ignoreregex =
+
+# DEV Notes:
+#
+# solid-pop3d needs to be compiled with --enable-logextend to support
+# IP addresses in log messages.
+#
+# solid-pop3d-0.15/src/main.c contains all authentication errors
+# except for PAM authentication messages ( src/authenticate.c )
+#
+# A pam authentication failure message (note no IP for rhost).
+# Nov 17 23:17:50 emf1pt2-2-35-70 solid-pop3d[17176]: pam_unix(solid-pop3d:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=jacques
+#
+# Authors: Daniel Black
--- /dev/null
+# Fail2Ban filter for Squid attempted proxy bypasses
+#
+#
+
+[Definition]
+
+failregex = ^\s+\d\s<HOST>\s+[A-Z_]+_DENIED/403 .*$
+ ^\s+\d\s<HOST>\s+NONE/405 .*$
+
+
+
+# Author: Daniel Black
+
--- /dev/null
+# Fail2Ban ssh filter for at attempted exploit
+#
+# The regex here also relates to a exploit:
+#
+# http://www.securityfocus.com/bid/17958/exploit
+# The example code here shows the pushing of the exploit straight after
+# reading the server version. This is where the client version string normally
+# pushed. As such the server will read this unparsible information as
+# "Did not receive identification string".
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = sshd
+
+failregex = ^%(__prefix_line)sDid not receive identification string from <HOST>\s*$
+
+ignoreregex =
+
+# Author: Yaroslav Halchenko
--- /dev/null
+# Fail2Ban filter for openssh
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+
+[Definition]
+
+_daemon = sshd
+
+failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$
+ ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
+ ^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".*", client host ".*")?))?\s*$
+ ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
+ ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
+ ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$
+ ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$
+ ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$
+ ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
+ ^%(__prefix_line)sReceived disconnect from <HOST>: 3: \S+: Auth fail$
+ ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$
+ ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
+
+ignoreregex =
+
+# DEV Notes:
+#
+# "Failed \S+ for .*? from <HOST>..." failregex uses non-greedy catch-all because
+# it is coming before use of <HOST> which is not hard-anchored at the end as well,
+# and later catch-all's could contain user-provided input, which need to be greedily
+# matched away first.
+#
+# Author: Cyril Jaquier, Yaroslav Halchenko, Petr Voralek, Daniel Black
--- /dev/null
+# Fail2Ban filter for suhosian PHP hardening
+#
+# This occurs with lighttpd or directly from the plugin
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+
+[Definition]
+
+_daemon = (?:lighttpd|suhosin)
+
+
+_lighttpd_prefix = (?:\(mod_fastcgi\.c\.\d+\) FastCGI-stderr:\s)
+
+failregex = ^%(__prefix_line)s%(_lighttpd_prefix)s?ALERT - .* \(attacker '<HOST>', file '.*'(?:, line \d+)?\)$
+
+ignoreregex =
+
+# DEV Notes:
+#
+# https://github.com/stefanesser/suhosin/blob/1fba865ab73cc98a3109f88d85eb82c1bfc29b37/log.c#L161
+#
+# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
--- /dev/null
+# Fail2Ban filter for uwimap
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = (?:ipop3d|imapd)
+
+failregex = ^%(__prefix_line)sLogin (?:failed|excessive login failures|disabled|SYSTEM BREAK-IN ATTEMPT) user=\S* auth=\S* host=.*\[<HOST>\]\s*$
+ ^%(__prefix_line)sFailed .* override of user=.* host=.*\[<HOST>\]\s*$
+
+ignoreregex =
+
+# Author: Amir Caspi
--- /dev/null
+# Fail2Ban filter for vsftp
+#
+# Configure VSFTP for "dual_log_enable=YES", and have fail2ban watch
+# /var/log/vsftpd.log instead of /var/log/secure. vsftpd.log file shows the
+# incoming ip address rather than domain names.
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+__pam_re=\(?pam_unix(?:\(\S+\))?\)?:?
+_daemon = vsftpd
+
+failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
+ ^ \[pid \d+\] \[.+\] FAIL LOGIN: Client "<HOST>"\s*$
+
+ignoreregex =
+
+# Author: Cyril Jaquier
+# Documentation from fail2ban wiki
--- /dev/null
+# Fail2Ban filter for webmin
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = webmin
+
+failregex = ^%(__prefix_line)sNon-existent login as .+ from <HOST>\s*$
+ ^%(__prefix_line)sInvalid login as .+ from <HOST>\s*$
+
+ignoreregex =
+
+# DEV Notes:
+#
+# pattern : webmin[15673]: Non-existent login as toto from 86.0.6.217
+# webmin[29544]: Invalid login as root from 86.0.6.217
+#
+# Rule Author: Delvit Guillaume
--- /dev/null
+# Fail2Ban configuration file for wuftpd
+#
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = wu-ftpd
+__pam_re=\(?pam_unix(?:\(wu-ftpd:auth\))?\)?:?
+
+failregex = ^%(__prefix_line)sfailed login from \S+ \[<HOST>\]\s*$
+ ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
+
+
+ignoreregex =
+
+# Author: Yaroslav Halchenko
--- /dev/null
+# Fail2Ban filter for xinetd failures
+#
+# Cfr.: /var/log/(daemon\.|sys)log
+#
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = xinetd
+
+failregex = ^%(__prefix_line)sFAIL: \S+ address from=<HOST>$
+ ^%(__prefix_line)sFAIL: \S+ libwrap from=<HOST>$
+
+ignoreregex =
+
+# DEV Notes:
+#
+# libwrap => tcp wrappers: hosts.(allow|deny)
+# address => xinetd: deny_from|only_from
+#
+# Author: Guido Bozzetto
--- /dev/null
+# Fail2Ban configuration file.
+#
+# This file was composed for Debian systems from the original one
+# provided now under /usr/share/doc/fail2ban/examples/jail.conf
+# for additional examples.
+#
+# Comments: use '#' for comment lines and ';' for inline comments
+#
+# To avoid merges during upgrades DO NOT MODIFY THIS FILE
+# and rather provide your changes in /etc/fail2ban/jail.local
+#
+
+# The DEFAULT allows a global definition of the options. They can be overridden
+# in each jail afterwards.
+
+[DEFAULT]
+
+# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
+# ban a host which matches an address in this list. Several addresses can be
+# defined using space separator.
+ignoreip = 127.0.0.1/8
+
+# External command that will take an tagged arguments to ignore, e.g. <ip>,
+# and return true if the IP is to be ignored. False otherwise.
+#
+# ignorecommand = /path/to/command <ip>
+ignorecommand =
+
+# "bantime" is the number of seconds that a host is banned.
+bantime = 600
+
+# A host is banned if it has generated "maxretry" during the last "findtime"
+# seconds.
+findtime = 600
+maxretry = 3
+
+# "backend" specifies the backend used to get files modification.
+# Available options are "pyinotify", "gamin", "polling" and "auto".
+# This option can be overridden in each jail as well.
+#
+# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
+# If pyinotify is not installed, Fail2ban will use auto.
+# gamin: requires Gamin (a file alteration monitor) to be installed.
+# If Gamin is not installed, Fail2ban will use auto.
+# polling: uses a polling algorithm which does not require external libraries.
+# auto: will try to use the following backends, in order:
+# pyinotify, gamin, polling.
+backend = auto
+
+# "usedns" specifies if jails should trust hostnames in logs,
+# warn when reverse DNS lookups are performed, or ignore all hostnames in logs
+#
+# yes: if a hostname is encountered, a reverse DNS lookup will be performed.
+# warn: if a hostname is encountered, a reverse DNS lookup will be performed,
+# but it will be logged as a warning.
+# no: if a hostname is encountered, will not be used for banning,
+# but it will be logged as info.
+usedns = warn
+
+#
+# Destination email address used solely for the interpolations in
+# jail.{conf,local} configuration files.
+destemail = frank@brehm-online.com
+
+#
+# Name of the sender for mta actions
+sendername = Fail2Ban
+
+# Email address of the sender
+sender = fail2ban+ns3@brehm-online.com
+
+#
+# ACTIONS
+#
+
+# Default banning action (e.g. iptables, iptables-new,
+# iptables-multiport, shorewall, etc) It is used to define
+# action_* variables. Can be overridden globally or per
+# section within jail.local file
+banaction = iptables-multiport
+
+# email action. Since 0.8.1 upstream fail2ban uses sendmail
+# MTA for the mailing. Change mta configuration parameter to mail
+# if you want to revert to conventional 'mail'.
+mta = sendmail
+
+# Default protocol
+protocol = tcp
+
+# Specify chain where jumps would need to be added in iptables-* actions
+chain = INPUT
+
+#
+# Action shortcuts. To be used to define action parameter
+
+# The simplest action to take: ban only
+action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+
+# ban & send an e-mail with whois report to the destemail.
+action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+ %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s", sender="%(sender)s", sendername="%(sendername)s"]
+
+# ban & send an e-mail with whois report and relevant log lines
+# to the destemail.
+action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+ %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"]
+
+# Choose default action. To change, just override value of 'action' with the
+# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
+# globally (section [DEFAULT]) or per specific section
+action = %(action_)s
+
+#
+# JAILS
+#
+
+# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
+# was shipped in Debian. Enable any defined here jail by including
+#
+# [SECTION_NAME]
+# enabled = true
+
+#
+# in /etc/fail2ban/jail.local.
+#
+# Optionally you may override any other parameter (e.g. banaction,
+# action, port, logpath, etc) in that section within jail.local
+
+[ssh]
+
+enabled = true
+port = ssh
+filter = sshd
+logpath = /var/log/syslog.d/auth.log
+action = %(action_mw)s
+maxretry = 6
+
+[dropbear]
+
+enabled = false
+port = ssh
+filter = dropbear
+logpath = /var/log/auth.log
+maxretry = 6
+
+# Generic filter for pam. Has to be used with action which bans all ports
+# such as iptables-allports, shorewall
+[pam-generic]
+
+enabled = false
+# pam-generic filter can be customized to monitor specific subset of 'tty's
+filter = pam-generic
+# port actually must be irrelevant but lets leave it all for some possible uses
+port = all
+banaction = iptables-allports
+port = anyport
+logpath = /var/log/auth.log
+maxretry = 6
+
+[xinetd-fail]
+
+enabled = false
+filter = xinetd-fail
+port = all
+banaction = iptables-multiport-log
+logpath = /var/log/daemon.log
+maxretry = 2
+
+
+[ssh-ddos]
+
+enabled = false
+port = ssh
+filter = sshd-ddos
+logpath = /var/log/auth.log
+maxretry = 6
+
+
+# Here we use blackhole routes for not requiring any additional kernel support
+# to store large volumes of banned IPs
+
+[ssh-route]
+
+enabled = false
+filter = sshd
+action = route
+logpath = /var/log/sshd.log
+maxretry = 6
+
+# Here we use a combination of Netfilter/Iptables and IPsets
+# for storing large volumes of banned IPs
+#
+# IPset comes in two versions. See ipset -V for which one to use
+# requires the ipset package and kernel support.
+[ssh-iptables-ipset4]
+
+enabled = false
+port = ssh
+filter = sshd
+banaction = iptables-ipset-proto4
+logpath = /var/log/sshd.log
+maxretry = 6
+
+[ssh-iptables-ipset6]
+
+enabled = false
+port = ssh
+filter = sshd
+banaction = iptables-ipset-proto6
+logpath = /var/log/sshd.log
+maxretry = 6
+
+
+#
+# HTTP servers
+#
+
+[apache]
+
+enabled = false
+port = http,https
+filter = apache-auth
+logpath = /var/log/apache*/*error.log
+maxretry = 6
+
+# default action is now multiport, so apache-multiport jail was left
+# for compatibility with previous (<0.7.6-2) releases
+[apache-multiport]
+
+enabled = false
+port = http,https
+filter = apache-auth
+logpath = /var/log/apache*/*error.log
+maxretry = 6
+
+[apache-noscript]
+
+enabled = false
+port = http,https
+filter = apache-noscript
+logpath = /var/log/apache*/*error.log
+maxretry = 6
+
+[apache-overflows]
+
+enabled = false
+port = http,https
+filter = apache-overflows
+logpath = /var/log/apache*/*error.log
+maxretry = 2
+
+[apache-modsecurity]
+
+enabled = false
+filter = apache-modsecurity
+port = http,https
+logpath = /var/log/apache*/*error.log
+maxretry = 2
+
+[apache-nohome]
+
+enabled = false
+filter = apache-nohome
+port = http,https
+logpath = /var/log/apache*/*error.log
+maxretry = 2
+
+# Ban attackers that try to use PHP's URL-fopen() functionality
+# through GET/POST variables. - Experimental, with more than a year
+# of usage in production environments.
+
+[php-url-fopen]
+
+enabled = false
+port = http,https
+filter = php-url-fopen
+logpath = /var/www/*/logs/access_log
+
+# A simple PHP-fastcgi jail which works with lighttpd.
+# If you run a lighttpd server, then you probably will
+# find these kinds of messages in your error_log:
+# ALERT – tried to register forbidden variable ‘GLOBALS’
+# through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php')
+
+[lighttpd-fastcgi]
+
+enabled = false
+port = http,https
+filter = lighttpd-fastcgi
+logpath = /var/log/lighttpd/error.log
+
+# Same as above for mod_auth
+# It catches wrong authentifications
+
+[lighttpd-auth]
+
+enabled = false
+port = http,https
+filter = suhosin
+logpath = /var/log/lighttpd/error.log
+
+[nginx-http-auth]
+
+enabled = false
+filter = nginx-http-auth
+port = http,https
+logpath = /var/log/nginx/error.log
+
+# Monitor roundcube server
+
+[roundcube-auth]
+
+enabled = false
+filter = roundcube-auth
+port = http,https
+logpath = /var/log/roundcube/userlogins
+
+
+[sogo-auth]
+
+enabled = false
+filter = sogo-auth
+port = http, https
+# without proxy this would be:
+# port = 20000
+logpath = /var/log/sogo/sogo.log
+
+
+#
+# FTP servers
+#
+
+[vsftpd]
+
+enabled = false
+port = ftp,ftp-data,ftps,ftps-data
+filter = vsftpd
+logpath = /var/log/vsftpd.log
+# or overwrite it in jails.local to be
+# logpath = /var/log/auth.log
+# if you want to rely on PAM failed login attempts
+# vsftpd's failregex should match both of those formats
+maxretry = 6
+
+
+[proftpd]
+
+enabled = false
+port = ftp,ftp-data,ftps,ftps-data
+filter = proftpd
+logpath = /var/log/proftpd/proftpd.log
+maxretry = 6
+
+
+[pure-ftpd]
+
+enabled = false
+port = ftp,ftp-data,ftps,ftps-data
+filter = pure-ftpd
+logpath = /var/log/syslog
+maxretry = 6
+
+
+[wuftpd]
+
+enabled = false
+port = ftp,ftp-data,ftps,ftps-data
+filter = wuftpd
+logpath = /var/log/syslog
+maxretry = 6
+
+
+#
+# Mail servers
+#
+
+[postfix]
+
+enabled = true
+port = smtp,ssmtp,submission
+filter = postfix
+logpath = /var/log/syslog.d/mail.log
+action = %(action_mw)s
+
+
+[couriersmtp]
+
+enabled = false
+port = smtp,ssmtp,submission
+filter = couriersmtp
+logpath = /var/log/mail.log
+
+
+#
+# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
+# all relevant ports get banned
+#
+
+[courierauth]
+
+enabled = false
+port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
+filter = courierlogin
+logpath = /var/log/mail.log
+
+
+[sasl]
+
+enabled = false
+port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
+filter = postfix-sasl
+# You might consider monitoring /var/log/mail.warn instead if you are
+# running postfix since it would provide the same log lines at the
+# "warn" level but overall at the smaller filesize.
+logpath = /var/log/mail.log
+
+[dovecot]
+
+enabled = false
+port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
+filter = dovecot
+logpath = /var/log/mail.log
+
+# To log wrong MySQL access attempts add to /etc/my.cnf:
+# log-error=/var/log/mysqld.log
+# log-warning = 2
+[mysqld-auth]
+
+enabled = false
+filter = mysqld-auth
+port = 3306
+logpath = /var/log/mysqld.log
+
+
+# DNS Servers
+
+
+# These jails block attacks against named (bind9). By default, logging is off
+# with bind9 installation. You will need something like this:
+#
+# logging {
+# channel security_file {
+# file "/var/log/named/security.log" versions 3 size 30m;
+# severity dynamic;
+# print-time yes;
+# };
+# category security {
+# security_file;
+# };
+# };
+#
+# in your named.conf to provide proper logging
+
+# !!! WARNING !!!
+# Since UDP is connection-less protocol, spoofing of IP and imitation
+# of illegal actions is way too simple. Thus enabling of this filter
+# might provide an easy way for implementing a DoS against a chosen
+# victim. See
+# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
+# Please DO NOT USE this jail unless you know what you are doing.
+#[named-refused-udp]
+#
+#enabled = false
+#port = domain,953
+#protocol = udp
+#filter = named-refused
+#logpath = /var/log/named/security.log
+
+[named-refused-tcp]
+
+enabled = false
+port = domain,953
+protocol = tcp
+filter = named-refused
+logpath = /var/log/named/security.log
+
+[freeswitch]
+
+enabled = false
+filter = freeswitch
+logpath = /var/log/freeswitch.log
+maxretry = 10
+action = iptables-multiport[name=freeswitch-tcp, port="5060,5061,5080,5081", protocol=tcp]
+ iptables-multiport[name=freeswitch-udp, port="5060,5061,5080,5081", protocol=udp]
+
+[ejabberd-auth]
+
+enabled = false
+filter = ejabberd-auth
+port = xmpp-client
+protocol = tcp
+logpath = /var/log/ejabberd/ejabberd.log
+
+
+# Multiple jails, 1 per protocol, are necessary ATM:
+# see https://github.com/fail2ban/fail2ban/issues/37
+[asterisk-tcp]
+
+enabled = false
+filter = asterisk
+port = 5060,5061
+protocol = tcp
+logpath = /var/log/asterisk/messages
+
+[asterisk-udp]
+
+enabled = false
+filter = asterisk
+port = 5060,5061
+protocol = udp
+logpath = /var/log/asterisk/messages
+
+
+# Jail for more extended banning of persistent abusers
+# !!! WARNING !!!
+# Make sure that your loglevel specified in fail2ban.conf/.local
+# is not at DEBUG level -- which might then cause fail2ban to fall into
+# an infinite loop constantly feeding itself with non-informative lines
+[recidive]
+
+enabled = false
+filter = recidive
+logpath = /var/log/fail2ban.log
+action = iptables-allports[name=recidive]
+ sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
+bantime = 604800 ; 1 week
+findtime = 86400 ; 1 day
+maxretry = 5
+
+# See the IMPORTANT note in action.d/blocklist_de.conf for when to
+# use this action
+#
+# Report block via blocklist.de fail2ban reporting service API
+# See action.d/blocklist_de.conf for more information
+[ssh-blocklist]
+
+enabled = false
+filter = sshd
+action = iptables[name=SSH, port=ssh, protocol=tcp]
+ sendmail-whois[name=SSH, dest="%(destemail)s", sender="%(sender)s", sendername="%(sendername)s"]
+ blocklist_de[email="%(sender)s", apikey="xxxxxx", service="%(filter)s"]
+logpath = /var/log/sshd.log
+maxretry = 20
+
+
+# consider low maxretry and a long bantime
+# nobody except your own Nagios server should ever probe nrpe
+[nagios]
+enabled = false
+filter = nagios
+action = iptables[name=Nagios, port=5666, protocol=tcp]
+ sendmail-whois[name=Nagios, dest="%(destemail)s", sender="%(sender)s", sendername="%(sendername)s"]
+logpath = /var/log/messages ; nrpe.cfg may define a different log_facility
+maxretry = 1
+
+# vim: filetype=dosini
crontab:x:107:
netdev:x:108:
ssh:x:109:
+ssl-cert:x:110:
+postfix:x:111:
+postdrop:x:112:
crontab:x:107:
netdev:x:108:
ssh:x:109:
+ssl-cert:x:110:
+postfix:x:111:
crontab:!::
netdev:!::
ssh:!::
+ssl-cert:!::
+postfix:!::
+postdrop:!::
crontab:!::
netdev:!::
ssh:!::
+ssl-cert:!::
+postfix:!::
127.0.0.1 localhost
-127.0.1.1 ns2
+127.0.1.1 ns2.uhu-banane.de ns2
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
--- /dev/null
+#! /bin/sh
+#
+# Written by Miquel van Smoorenburg <miquels@drinkel.ow.org>.
+# Modified for Debian GNU/Linux by Ian Murdock <imurdock@gnu.ai.mit.edu>.
+# Modified for Debian by Christoph Lameter <clameter@debian.org>
+# Modified for chrony by John Hasler <jhasler@debian.org> 1998-2012
+
+### BEGIN INIT INFO
+# Provides: chrony
+# Required-Start: $remote_fs
+# Required-Stop: $remote_fs
+# Should-Start: $syslog $network $named $time
+# Should-Stop: $syslog $network $named $time
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Controls chronyd NTP time daemon
+# Description: Chronyd is the NTP time daemon in the Chrony package
+### END INIT INFO
+
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+DAEMON=/usr/sbin/chronyd
+FLAGS="defaults"
+NAME="chronyd"
+DESC="time daemon"
+
+test -f $DAEMON || exit 0
+
+. /lib/lsb/init-functions
+
+putonline ()
+{ # Do we have a default route? If so put chronyd online.
+ if timelimit -q -s9 -t5 -- netstat -rn 2>/dev/null | grep -q '0\.0\.0\.0'
+ then
+ sleep 2 # Chronyd can take a while to start.
+ KEY=$(awk '$1 ~ /^commandkey$/ { print $2; exit}' /etc/chrony/chrony.conf)
+ PASSWORD=`awk '$1 ~ /^'$KEY'$/ {print $2; exit}' /etc/chrony/chrony.keys`
+ # Make sure chronyc can't hang us up.
+ if timelimit -q -s9 -t5 -- /usr/bin/chronyc > /dev/null << EOF
+password $PASSWORD
+online
+burst 5/10
+quit
+EOF
+ then
+ touch /var/run/chrony-ppp-up
+ echo "$NAME is running and online."
+ else
+ rm -f /var/run/chrony-ppp-up
+ echo "$NAME is running and offline."
+ fi
+ else
+ rm -f /var/run/chrony-ppp-up
+ echo "$NAME is running and offline."
+ fi
+}
+
+case "$1" in
+ start)
+ start-stop-daemon --start --verbose --exec $DAEMON
+ case "$?" in
+ 0) # daemon successfully started
+ putonline
+ ;;
+ 1) # daemon already running
+ ;;
+ *) # daemon could not be started
+ echo "$DAEMON failed to start."
+ exit 1
+ ;;
+ esac
+ ;;
+ stop)
+ start-stop-daemon --stop --verbose --oknodo --exec $DAEMON
+ rm -f /var/run/chrony-ppp-up
+ ;;
+ restart|force-reload)
+ echo -n "Restarting $DESC: "
+ start-stop-daemon --stop --quiet --exec $DAEMON
+ sleep 1
+ start-stop-daemon --start --verbose --exec $DAEMON -- -r
+ case "$?" in
+ 0) # daemon successfully started
+ putonline
+ ;;
+ 1) # still running
+ ;;
+ *) # daemon could not be started
+ echo "$DAEMON failed to restart."
+ rm -f /var/run/chrony-ppp-up
+ exit 1
+ ;;
+ esac
+ ;;
+ status)
+ status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
+ ;;
+ *)
+ echo "Usage: /etc/init.d/chrony {start|stop|restart|force-reload|status}"
+ exit 1
+ ;;
+esac
+
+exit 0
--- /dev/null
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides: fail2ban
+# Required-Start: $local_fs $remote_fs
+# Required-Stop: $local_fs $remote_fs
+# Should-Start: $time $network $syslog iptables firehol shorewall ipmasq arno-iptables-firewall iptables-persistent ferm
+# Should-Stop: $network $syslog iptables firehol shorewall ipmasq arno-iptables-firewall iptables-persistent ferm
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Start/stop fail2ban
+# Description: Start/stop fail2ban, a daemon scanning the log files and
+# banning potential attackers.
+### END INIT INFO
+
+# Author: Aaron Isotton <aaron@isotton.com>
+# Modified: by Yaroslav Halchenko <debian@onerussian.com>
+# reindented + minor corrections + to work on sarge without modifications
+# Modified: by Glenn Aaldering <glenn@openvideo.nl>
+# added exit codes for status command
+#
+PATH=/usr/sbin:/usr/bin:/sbin:/bin
+DESC="authentication failure monitor"
+NAME=fail2ban
+
+# fail2ban-client is not a daemon itself but starts a daemon and
+# loads its with configuration
+DAEMON=/usr/bin/$NAME-client
+SCRIPTNAME=/etc/init.d/$NAME
+
+# Ad-hoc way to parse out socket file name
+SOCKFILE=`grep -h '^[^#]*socket *=' /etc/$NAME/$NAME.conf /etc/$NAME/$NAME.local 2>/dev/null \
+ | tail -n 1 | sed -e 's/.*socket *= *//g' -e 's/ *$//g'`
+[ -z "$SOCKFILE" ] && SOCKFILE='/tmp/fail2ban.sock'
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Run as root by default.
+FAIL2BAN_USER=root
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+DAEMON_ARGS="$FAIL2BAN_OPTS"
+
+# Load the VERBOSE setting and other rcS variables
+[ -f /etc/default/rcS ] && . /etc/default/rcS
+
+# Predefine what can be missing from lsb source later on -- necessary to run
+# on sarge. Just present it in a bit more compact way from what was shipped
+log_daemon_msg () {
+ [ -z "$1" ] && return 1
+ echo -n "$1:"
+ [ -z "$2" ] || echo -n " $2"
+}
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
+# Actually has to (>=2.0-7) present in sarge. log_daemon_msg is predefined
+# so we must be ok
+. /lib/lsb/init-functions
+
+#
+# Shortcut function for abnormal init script interruption
+#
+report_bug()
+{
+ echo $*
+ echo "Please submit a bug report to Debian BTS (reportbug fail2ban)"
+ exit 1
+}
+
+#
+# Helper function to check if socket is present, which is often left after
+# abnormal exit of fail2ban and needs to be removed
+#
+check_socket()
+{
+ # Return
+ # 0 if socket is present and readable
+ # 1 if socket file is not present
+ # 2 if socket file is present but not readable
+ # 3 if socket file is present but is not a socket
+ [ -e "$SOCKFILE" ] || return 1
+ [ -r "$SOCKFILE" ] || return 2
+ [ -S "$SOCKFILE" ] || return 3
+ return 0
+}
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+ # Return
+ # 0 if daemon has been started
+ # 1 if daemon was already running
+ # 2 if daemon could not be started
+ do_status && return 1
+
+ if [ -e "$SOCKFILE" ]; then
+ log_failure_msg "Socket file $SOCKFILE is present"
+ [ "$1" = "force-start" ] \
+ && log_success_msg "Starting anyway as requested" \
+ || return 2
+ DAEMON_ARGS="$DAEMON_ARGS -x"
+ fi
+
+ # Assure that /var/run/fail2ban exists
+ [ -d /var/run/fail2ban ] || mkdir -p /var/run/fail2ban
+
+ if [ "$FAIL2BAN_USER" != "root" ]; then
+ # Make the socket directory, IP lists and fail2ban log
+ # files writable by fail2ban
+ chown "$FAIL2BAN_USER" /var/run/fail2ban
+ # Create the logfile if it doesn't exist
+ touch /var/log/fail2ban.log
+ chown "$FAIL2BAN_USER" /var/log/fail2ban.log
+ find /proc/net/xt_recent -name 'fail2ban-*' -exec chown "$FAIL2BAN_USER" {} \;
+ fi
+
+ start-stop-daemon --start --quiet --chuid "$FAIL2BAN_USER" --exec $DAEMON -- \
+ $DAEMON_ARGS start > /dev/null\
+ || return 2
+
+ return 0
+}
+
+
+#
+# Function that checks the status of fail2ban and returns
+# corresponding code
+#
+do_status()
+{
+ $DAEMON ping > /dev/null 2>&1
+ return $?
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+ # Return
+ # 0 if daemon has been stopped
+ # 1 if daemon was already stopped
+ # 2 if daemon could not be stopped
+ # other if a failure occurred
+ $DAEMON status > /dev/null 2>&1 || return 1
+ $DAEMON stop > /dev/null || return 2
+
+ # now we need actually to wait a bit since it might take time
+ # for server to react on client's stop request. Especially
+ # important for restart command on slow boxes
+ count=1
+ while do_status && [ $count -lt 60 ]; do
+ sleep 1
+ count=$(($count+1))
+ done
+ [ $count -lt 60 ] || return 3 # failed to stop
+
+ return 0
+}
+
+#
+# Function to reload configuration
+#
+do_reload() {
+ $DAEMON reload > /dev/null && return 0 || return 1
+ return 0
+}
+
+# yoh:
+# shortcut function to don't duplicate case statements and to don't use
+# bashisms (arrays). Fixes #368218
+#
+log_end_msg_wrapper()
+{
+ if [ "$3" != "no" ]; then
+ [ $1 -lt $2 ] && value=0 || value=1
+ log_end_msg $value
+ fi
+}
+
+command="$1"
+case "$command" in
+ start|force-start)
+ [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+ do_start "$command"
+ log_end_msg_wrapper $? 2 "$VERBOSE"
+ ;;
+
+ stop)
+ [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+ do_stop
+ log_end_msg_wrapper $? 2 "$VERBOSE"
+ ;;
+
+ restart|force-reload)
+ log_daemon_msg "Restarting $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1)
+ do_start
+ log_end_msg_wrapper $? 1 "always"
+ ;;
+ *)
+ # Failed to stop
+ log_end_msg 1
+ ;;
+ esac
+ ;;
+
+ reload|force-reload)
+ log_daemon_msg "Reloading $DESC" "$NAME"
+ do_reload
+ log_end_msg $?
+ ;;
+
+ status)
+ log_daemon_msg "Status of $DESC"
+ do_status
+ case $? in
+ 0) log_success_msg " $NAME is running" ;;
+ 255)
+ check_socket
+ case $? in
+ 1) log_failure_msg " $NAME is not running" && exit 3 ;;
+ 0) log_failure_msg " $NAME is not running but $SOCKFILE exists" && exit 3 ;;
+ 2) log_failure_msg " $SOCKFILE not readable, status of $NAME is unknown" && exit 3 ;;
+ 3) log_failure_msg " $SOCKFILE exists but not a socket, status of $NAME is unknown" && exit 3 ;;
+ *) report_bug "Unknown return code from $NAME:check_socket." && exit 4 ;;
+ esac
+ ;;
+ *) report_bug "Unknown $NAME status code" && exit 4
+ esac
+ ;;
+ *)
+ echo "Usage: $SCRIPTNAME {start|force-start|stop|restart|force-reload|status}" >&2
+ exit 3
+ ;;
+esac
+
+:
--- /dev/null
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides: haveged
+# Required-Start: $remote_fs
+# Required-Stop: $remote_fs
+# Should-Start: $syslog
+# Should-Stop: $syslog
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Entropy daemon using the HAVEGE algorithm
+# Description: haveged uses HAVEGE (HArdware Volatile Entropy Gathering
+# and Expansion) to maintain a pool of random bytes used
+# to fill /dev/random whenever necessary.
+### END INIT INFO
+
+# Do NOT "set -e"
+
+PATH=/sbin:/usr/sbin:/bin:/usr/bin
+DESC="entropy daemon"
+NAME=haveged
+DAEMON=/usr/sbin/$NAME
+DAEMON_ARGS=""
+PIDFILE=/var/run/$NAME.pid
+SCRIPTNAME=/etc/init.d/$NAME
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+. /lib/lsb/init-functions
+
+do_start()
+{
+ start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
+ || return 1
+ start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
+ $DAEMON_ARGS \
+ || return 2
+}
+
+do_stop()
+{
+ start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
+ RETVAL="$?"
+ [ "$RETVAL" = 2 ] && return 2
+ rm -f $PIDFILE
+ return "$RETVAL"
+}
+
+case "$1" in
+ start)
+ [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+ do_start
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+ 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+ esac
+ ;;
+ stop)
+ [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+ 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+ esac
+ ;;
+ status)
+ status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
+ ;;
+ restart|force-reload)
+ log_daemon_msg "Restarting $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1)
+ do_start
+ case "$?" in
+ 0) log_end_msg 0 ;;
+ 1) log_end_msg 1 ;; # Old process is still running
+ *) log_end_msg 1 ;; # Failed to start
+ esac
+ ;;
+ *)
+ # Failed to stop
+ log_end_msg 1
+ ;;
+ esac
+ ;;
+ *)
+ echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
+ exit 3
+ ;;
+esac
+
+:
--- /dev/null
+#!/bin/sh -e
+
+# Start or stop Postfix
+#
+# LaMont Jones <lamont@debian.org>
+# based on sendmail's init.d script
+
+### BEGIN INIT INFO
+# Provides: postfix mail-transport-agent
+# Required-Start: $local_fs $remote_fs $syslog $named $network $time
+# Required-Stop: $local_fs $remote_fs $syslog $named $network
+# Should-Start: postgresql mysql clamav-daemon postgrey spamassassin saslauthd dovecot
+# Should-Stop: postgresql mysql clamav-daemon postgrey spamassassin saslauthd dovecot
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Postfix Mail Transport Agent
+# Description: postfix is a Mail Transport agent
+### END INIT INFO
+
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+DAEMON=/usr/sbin/postfix
+NAME=Postfix
+TZ=
+unset TZ
+
+# Defaults - don't touch, edit /etc/default/postfix
+SYNC_CHROOT="y"
+
+test -f /etc/default/postfix && . /etc/default/postfix
+
+test -x $DAEMON && test -f /etc/postfix/main.cf || exit 0
+
+. /lib/lsb/init-functions
+#DISTRO=$(lsb_release -is 2>/dev/null || echo Debian)
+
+enabled_instances() {
+ postmulti -l -a | awk '($3=="y") { print $1}'
+}
+
+running() {
+ INSTANCE="$1"
+ if [ "X$INSTANCE" = X ]; then
+ POSTCONF="postconf"
+ else
+ POSTCONF="postmulti -i $INSTANCE -x postconf"
+ fi
+
+ queue=$($POSTCONF -h queue_directory 2>/dev/null || echo /var/spool/postfix)
+ if [ -f ${queue}/pid/master.pid ]; then
+ pid=$(sed 's/ //g' ${queue}/pid/master.pid)
+ # what directory does the executable live in. stupid prelink systems.
+ dir=$(ls -l /proc/$pid/exe 2>/dev/null | sed 's/.* -> //; s/\/[^\/]*$//')
+ if [ "X$dir" = "X/usr/lib/postfix" ]; then
+ echo y
+ fi
+ fi
+}
+
+configure_instance() {
+ INSTANCE="$1"
+ if [ "X$INSTANCE" = X ]; then
+ POSTCONF="postconf"
+ else
+ POSTCONF="postmulti -i $INSTANCE -x postconf"
+ fi
+
+
+ # if you set myorigin to 'ubuntu.com' or 'debian.org', it's wrong, and annoys the admins of
+ # those domains. See also sender_canonical_maps.
+
+ MYORIGIN=$($POSTCONF -h myorigin | tr 'A-Z' 'a-z')
+ if [ "X${MYORIGIN#/}" != "X${MYORIGIN}" ]; then
+ MYORIGIN=$(tr 'A-Z' 'a-z' < $MYORIGIN)
+ fi
+ if [ "X$MYORIGIN" = Xubuntu.com ] || [ "X$MYORIGIN" = Xdebian.org ]; then
+ log_failure_msg "Invalid \$myorigin ($MYORIGIN), refusing to start"
+ log_end_msg 1
+ exit 1
+ fi
+
+ config_dir=$($POSTCONF -h config_directory)
+ # see if anything is running chrooted.
+ NEED_CHROOT=$(awk '/^[0-9a-z]/ && ($5 ~ "[-yY]") { print "y"; exit}' ${config_dir}/master.cf)
+
+ if [ -n "$NEED_CHROOT" ] && [ -n "$SYNC_CHROOT" ]; then
+ # Make sure that the chroot environment is set up correctly.
+ oldumask=$(umask)
+ umask 022
+ queue_dir=$($POSTCONF -h queue_directory)
+ cd "$queue_dir"
+
+ # copy the CA path if specified
+ ca_path=$($POSTCONF -h smtp_tls_CApath)
+ case "$ca_path" in
+ '') :;; # no ca_path
+ $queue_dir/*) :;; # skip stuff already in chroot, (and to make vim syntax happy: */)
+ *)
+ if test -d "$ca_path"; then
+ dest_dir="$queue_dir/${ca_path#/}"
+ # strip any/all trailing /
+ while [ "${dest_dir%/}" != "${dest_dir}" ]; do
+ dest_dir="${dest_dir%/}"
+ done
+ new=0
+ if test -d "$dest_dir"; then
+ # write to a new directory ...
+ dest_dir="${dest_dir}.NEW"
+ new=1
+ fi
+ mkdir --parent ${dest_dir}
+ # handle files in subdirectories
+ (cd "$ca_path" && find . -name '*.pem' -print0 | cpio -0pdL --quiet "$dest_dir") 2>/dev/null ||
+ (log_failure_msg failure copying certificates; exit 1)
+ c_rehash "$dest_dir" >/dev/null 2>&1
+ if [ "$new" = 1 ]; then
+ # and replace the old directory
+ rm -rf "${dest_dir%.NEW}"
+ mv "$dest_dir" "${dest_dir%.NEW}"
+ fi
+ fi
+ ;;
+ esac
+
+ # if there is a CA file, copy it
+ ca_file=$($POSTCONF -h smtp_tls_CAfile)
+ case "$ca_file" in
+ $queue_dir/*) :;; # skip stuff already in chroot
+ '') # no ca_file
+ # or copy the bundle to preserve functionality
+ ca_bundle=/etc/ssl/certs/ca-certificates.crt
+ if [ -f $ca_bundle ]; then
+ mkdir --parent "$queue_dir/${ca_bundle%/*}"
+ cp -L "$ca_bundle" "$queue_dir/${ca_bundle%/*}"
+ fi
+ ;;
+ *)
+ if test -f "$ca_file"; then
+ dest_dir="$queue_dir/${ca_path#/}"
+ mkdir --parent "$dest_dir"
+ cp -L "$ca_file" "$dest_dir"
+ fi
+ ;;
+ esac
+
+ # if we're using unix:passwd.byname, then we need to add etc/passwd.
+ local_maps=$($POSTCONF -h local_recipient_maps)
+ if [ "X$local_maps" != "X${local_maps#*unix:passwd.byname}" ]; then
+ if [ "X$local_maps" = "X${local_maps#*proxy:unix:passwd.byname}" ]; then
+ sed 's/^\([^:]*\):[^:]*/\1:x/' /etc/passwd > etc/passwd
+ chmod a+r etc/passwd
+ fi
+ fi
+
+ FILES="etc/localtime etc/services etc/resolv.conf etc/hosts \
+ etc/host.conf etc/nsswitch.conf etc/nss_mdns.config"
+ for file in $FILES; do
+ [ -d ${file%/*} ] || mkdir -p ${file%/*}
+ if [ -f /${file} ]; then rm -f ${file} && cp /${file} ${file}; fi
+ if [ -f ${file} ]; then chmod a+rX ${file}; fi
+ done
+ # ldaps needs this. debian bug 572841
+ (echo /dev/random; echo /dev/urandom) | cpio -pdL --quiet . 2>/dev/null || true
+ rm -f usr/lib/zoneinfo/localtime
+ mkdir -p usr/lib/zoneinfo
+ ln -sf /etc/localtime usr/lib/zoneinfo/localtime
+
+ LIBLIST=$(for name in gcc_s nss resolv; do
+ for f in /lib/*/lib${name}*.so* /lib/lib${name}*.so*; do
+ if [ -f "$f" ]; then echo ${f#/}; fi;
+ done;
+ done)
+
+ if [ -n "$LIBLIST" ]; then
+ for f in $LIBLIST; do
+ rm -f "$f"
+ done
+ tar cf - -C / $LIBLIST 2>/dev/null |tar xf -
+ fi
+ umask $oldumask
+ fi
+}
+
+case "$1" in
+ start)
+ log_daemon_msg "Starting Postfix Mail Transport Agent" postfix
+ RET=0
+ # for all instances that are not already running, handle chroot setup if needed, and start
+ for INSTANCE in $(enabled_instances); do
+ RUNNING=$(running $INSTANCE)
+ if [ "X$RUNNING" = X ]; then
+ configure_instance $INSTANCE
+ CMD="/usr/sbin/postmulti -- -i $INSTANCE -x ${DAEMON}"
+ if ! start-stop-daemon --start --exec $CMD quiet-quick-start; then
+ RET=1
+ fi
+ fi
+ done
+ log_end_msg $RET
+ ;;
+
+ stop)
+ log_daemon_msg "Stopping Postfix Mail Transport Agent" postfix
+ RET=0
+ # for all instances that are not already running, handle chroot setup if needed, and start
+ for INSTANCE in $(enabled_instances); do
+ RUNNING=$(running $INSTANCE)
+ if [ "X$RUNNING" != X ]; then
+ CMD="/usr/sbin/postmulti -i $INSTANCE -x ${DAEMON}"
+ if ! ${CMD} quiet-stop; then
+ RET=1
+ fi
+ fi
+ done
+ log_end_msg $RET
+ ;;
+
+ restart)
+ $0 stop
+ $0 start
+ ;;
+
+ force-reload|reload)
+ log_action_begin_msg "Reloading Postfix configuration"
+ if ${DAEMON} quiet-reload; then
+ log_action_end_msg 0
+ else
+ log_action_end_msg 1
+ fi
+ ;;
+
+ status)
+ ALL=1
+ ANY=0
+ # for all instances that are not already running, handle chroot setup if needed, and start
+ for INSTANCE in $(enabled_instances); do
+ RUNNING=$(running $INSTANCE)
+ if [ "X$RUNNING" != X ]; then
+ ANY=1
+ else
+ ALL=0
+ fi
+ done
+ # handle the case when postmulti returns *no* configured instances
+ if [ $ANY = 0 ]; then
+ ALL=0
+ fi
+ if [ $ALL = 1 ]; then
+ log_success_msg "postfix is running"
+ exit 0
+ elif [ $ANY = 1 ]; then
+ log_success_msg "some postfix instances are running"
+ exit 0
+ else
+ log_success_msg "postfix is not running"
+ exit 3
+ fi
+ ;;
+
+ flush|check|abort)
+ ${DAEMON} $1
+ ;;
+
+ *)
+ log_action_msg "Usage: /etc/init.d/postfix {start|stop|restart|reload|flush|check|abort|force-reload|status}"
+ exit 1
+ ;;
+esac
+
+exit 0
--- /dev/null
+#! /bin/sh
+
+### BEGIN INIT INFO
+# Provides: rsyncd
+# Required-Start: $remote_fs $syslog
+# Required-Stop: $remote_fs $syslog
+# Should-Start: $named autofs
+# Default-Start: 2 3 4 5
+# Default-Stop:
+# Short-Description: fast remote file copy program daemon
+# Description: rsync is a program that allows files to be copied to and
+# from remote machines in much the same way as rcp.
+# This provides rsyncd daemon functionality.
+### END INIT INFO
+
+set -e
+
+# /etc/init.d/rsync: start and stop the rsync daemon
+
+DAEMON=/usr/bin/rsync
+RSYNC_ENABLE=false
+RSYNC_OPTS=''
+RSYNC_DEFAULTS_FILE=/etc/default/rsync
+RSYNC_CONFIG_FILE=/etc/rsyncd.conf
+RSYNC_PID_FILE=/var/run/rsync.pid
+RSYNC_NICE_PARM=''
+RSYNC_IONICE_PARM=''
+
+test -x $DAEMON || exit 0
+
+. /lib/lsb/init-functions
+
+if [ -s $RSYNC_DEFAULTS_FILE ]; then
+ . $RSYNC_DEFAULTS_FILE
+ case "x$RSYNC_ENABLE" in
+ xtrue|xfalse) ;;
+ xinetd) exit 0
+ ;;
+ *) log_failure_msg "Value of RSYNC_ENABLE in $RSYNC_DEFAULTS_FILE must be either 'true' or 'false';"
+ log_failure_msg "not starting rsync daemon."
+ exit 1
+ ;;
+ esac
+ case "x$RSYNC_NICE" in
+ x[0-9]|x1[0-9]) RSYNC_NICE_PARM="--nicelevel $RSYNC_NICE";;
+ x) ;;
+ *) log_warning_msg "Value of RSYNC_NICE in $RSYNC_DEFAULTS_FILE must be a value between 0 and 19 (inclusive);"
+ log_warning_msg "ignoring RSYNC_NICE now."
+ ;;
+ esac
+ case "x$RSYNC_IONICE" in
+ x-c[123]*) RSYNC_IONICE_PARM="$RSYNC_IONICE";;
+ x) ;;
+ *) log_warning_msg "Value of RSYNC_IONICE in $RSYNC_DEFAULTS_FILE must be -c1, -c2 or -c3;"
+ log_warning_msg "ignoring RSYNC_IONICE now."
+ ;;
+ esac
+fi
+
+export PATH="${PATH:+$PATH:}/usr/sbin:/sbin"
+
+rsync_start() {
+ if [ ! -s "$RSYNC_CONFIG_FILE" ]; then
+ log_failure_msg "missing or empty config file $RSYNC_CONFIG_FILE"
+ log_end_msg 1
+ exit 0
+ fi
+ # See ionice(1)
+ if [ -n "$RSYNC_IONICE_PARM" ] && [ -x /usr/bin/ionice ] &&
+ /usr/bin/ionice "$RSYNC_IONICE_PARM" true 2>/dev/null; then
+ /usr/bin/ionice "$RSYNC_IONICE_PARM" -p$$ > /dev/null 2>&1
+ fi
+ if start-stop-daemon --start --quiet --background \
+ --pidfile $RSYNC_PID_FILE --make-pidfile \
+ $RSYNC_NICE_PARM --exec $DAEMON \
+ -- --no-detach --daemon --config "$RSYNC_CONFIG_FILE" $RSYNC_OPTS
+ then
+ rc=0
+ sleep 1
+ if ! kill -0 $(cat $RSYNC_PID_FILE) >/dev/null 2>&1; then
+ log_failure_msg "rsync daemon failed to start"
+ rc=1
+ fi
+ else
+ rc=1
+ fi
+ if [ $rc -eq 0 ]; then
+ log_end_msg 0
+ else
+ log_end_msg 1
+ rm -f $RSYNC_PID_FILE
+ fi
+} # rsync_start
+
+
+case "$1" in
+ start)
+ if "$RSYNC_ENABLE"; then
+ log_daemon_msg "Starting rsync daemon" "rsync"
+ if [ -s $RSYNC_PID_FILE ] && kill -0 $(cat $RSYNC_PID_FILE) >/dev/null 2>&1; then
+ log_progress_msg "apparently already running"
+ log_end_msg 0
+ exit 0
+ fi
+ rsync_start
+ else
+ if [ -s "$RSYNC_CONFIG_FILE" ]; then
+ [ "$VERBOSE" != no ] && log_warning_msg "rsync daemon not enabled in $RSYNC_DEFAULTS_FILE, not starting..."
+ fi
+ fi
+ ;;
+ stop)
+ log_daemon_msg "Stopping rsync daemon" "rsync"
+ start-stop-daemon --stop --quiet --oknodo --pidfile $RSYNC_PID_FILE
+ log_end_msg $?
+ rm -f $RSYNC_PID_FILE
+ ;;
+
+ reload|force-reload)
+ log_warning_msg "Reloading rsync daemon: not needed, as the daemon"
+ log_warning_msg "re-reads the config file whenever a client connects."
+ ;;
+
+ restart)
+ set +e
+ if $RSYNC_ENABLE; then
+ log_daemon_msg "Restarting rsync daemon" "rsync"
+ if [ -s $RSYNC_PID_FILE ] && kill -0 $(cat $RSYNC_PID_FILE) >/dev/null 2>&1; then
+ start-stop-daemon --stop --quiet --oknodo --pidfile $RSYNC_PID_FILE || true
+ sleep 1
+ else
+ log_warning_msg "rsync daemon not running, attempting to start."
+ rm -f $RSYNC_PID_FILE
+ fi
+ rsync_start
+ else
+ if [ -s "$RSYNC_CONFIG_FILE" ]; then
+ [ "$VERBOSE" != no ] && log_warning_msg "rsync daemon not enabled in $RSYNC_DEFAULTS_FILE, not starting..."
+ fi
+ fi
+ ;;
+
+ status)
+ status_of_proc -p $RSYNC_PID_FILE "$DAEMON" rsync
+ exit $? # notreached due to set -e
+ ;;
+ *)
+ echo "Usage: /etc/init.d/rsync {start|stop|reload|force-reload|restart|status}"
+ exit 1
+esac
+
+exit 0
--- /dev/null
+$mail-transport-agent postfix
--- /dev/null
+\w{3} [ :0-9]{11} [._[:alnum:]-]+ [._[:alnum:]-]+: DIGEST-MD5 common mech free
weekly
# keep 4 weeks worth of backlogs
-rotate 4
+rotate 99
# create new (empty) log files after rotating old ones
create
# uncomment this if you want your log files compressed
-#compress
+compress
+delaycompress
# packages drop log rotation information into this directory
include /etc/logrotate.d
missingok
monthly
create 0664 root utmp
- rotate 1
+ rotate 12
+ size 4M
}
/var/log/btmp {
missingok
monthly
create 0660 root utmp
- rotate 1
+ rotate 12
+ size 4M
}
# system-specific logs may be configured here
--- /dev/null
+/var/log/chrony/*.log {
+ weekly
+ rotate 7
+ missingok
+ notifempty
+ compress
+ delaycompress
+ sharedscripts
+ create 644
+ postrotate
+ PASSWORD=`awk '$1 ~ /^1$/ {print $2; exit}' /etc/chrony/chrony.keys`
+ cat << EOF | /usr/bin/chronyc | sed '/^200 OK$/d'
+ password $PASSWORD
+ cyclelogs
+ EOF
+ endscript
+}
--- /dev/null
+/var/log/fail2ban.log {
+
+ weekly
+ rotate 4
+ compress
+
+ delaycompress
+ missingok
+ postrotate
+ fail2ban-client flushlogs 1>/dev/null
+ endscript
+
+ # If fail2ban runs as non-root it still needs to have write access
+ # to logfiles.
+ # create 640 fail2ban adm
+ create 640 root adm
+}
-/var/log/syslog
-{
+/var/log/syslog /var/log/messages {
rotate 7
daily
missingok
notifempty
- delaycompress
compress
+ delaycompress
+ dateext
+ size 4M
+ olddir /var/log/.old
postrotate
invoke-rc.d rsyslog rotate > /dev/null
endscript
/var/log/lpr.log
/var/log/cron.log
/var/log/debug
-/var/log/messages
{
rotate 4
weekly
notifempty
compress
delaycompress
+ dateext
+ size 4M
+ olddir /var/log/.old
sharedscripts
postrotate
invoke-rc.d rsyslog rotate > /dev/null
endscript
}
+
+/var/log/syslog.d/*.log {
+ rotate 10
+ weekly
+ missingok
+ notifempty
+ size 4M
+ delaycompress
+ dateext
+ compress
+ olddir /var/log/syslog.d/.old
+ sharedscripts
+ postrotate
+ reload rsyslog >/dev/null 2>&1 || true
+ endscript
+}
+
+# vim: ts=4 filetype=conf et
--- /dev/null
+ns2.uhu-banane.de
--- /dev/null
+ _ _ ____
+| \ | |___|___ \
+| \| / __| __) |
+| |\ \__ \/ __/
+|_| \_|___/_____|
+
--- /dev/null
+# This is the configuration file for Heirloom mailx (formerly
+# known under the name "nail".
+# See mailx(1) for further options.
+# This file is not overwritten when 'make install' is run in
+# the mailx build process again.
+
+# Sccsid @(#)nail.rc 2.11 (gritter) 8/2/08
+
+# Do not forward to mbox by default since this is likely to be
+# irritating for most users today.
+set hold
+
+# Append rather than prepend when writing to mbox automatically.
+# This has no effect unless 'hold' is unset again.
+set append
+
+# Ask for a message subject.
+set ask
+
+# Assume a CRT-like terminal and invoke a pager.
+set crt
+
+# Messages may be terminated by a dot.
+set dot
+
+# Do not remove empty mail folders in the spool directory.
+# This may be relevant for privacy since other users could
+# otherwise create them with different permissions.
+set keep
+
+# Do not remove empty private mail folders.
+set emptybox
+
+# Quote the original message in replies by "> " as usual on the Internet.
+set indentprefix="> "
+
+# Automatically quote the text of the message that is responded to.
+set quote
+
+# Outgoing messages are sent in ISO-8859-1 if all their characters are
+# representable in it, otherwise in UTF-8.
+set sendcharsets=iso-8859-1,utf-8
+
+# Display sender's real names in header summaries.
+set showname
+
+# Display the recipients of messages sent by the user himself in
+# header summaries.
+set showto
+
+# Automatically check for new messages at each prompt, but avoid polling
+# of IMAP servers or maildir folders.
+set newmail=nopoll
+
+# If threaded mode is activated, automatically collapse thread.
+set autocollapse
+
+# Mark messages that have been answered.
+set markanswered
+
+# Hide some header fields which are uninteresting for most human readers.
+ignore received in-reply-to message-id references
+ignore mime-version content-transfer-encoding
+
+# Only include selected header fields when forwarding messages.
+fwdretain subject date from to
--- /dev/null
+#!/bin/sh -e
+
+# Called when an interface disconnects
+# Written by LaMont Jones <lamont@debian.org>
+
+# start or reload Postfix as needed
+
+# If /usr isn't mounted yet, silently bail.
+if [ ! -d /usr/lib/postfix ]; then
+ exit 0
+fi
+
+RUNNING=""
+# If master is running, force a queue run to unload any mail that is
+# hanging around. Yes, sendmail is a symlink...
+if [ -f /var/spool/postfix/pid/master.pid ]; then
+ pid=$(sed 's/ //g' /var/spool/postfix/pid/master.pid)
+ exe=$(ls -l /proc/$pid/exe 2>/dev/null | sed 's/.* //;s/.*\///')
+ if [ "X$exe" = "Xmaster" ]; then
+ RUNNING="y"
+ fi
+fi
+
+if [ ! -x /sbin/resolvconf ]; then
+ f=/etc/resolv.conf
+ if ! cp $f $(postconf -h queue_directory)$f 2>/dev/null; then
+ exit 0
+ fi
+ if [ -n "$RUNNING" ]; then
+ /etc/init.d/postfix reload >/dev/null 2>&1
+ fi
+fi
+
+exit 0
--- /dev/null
+#!/bin/sh -e
+# Called when a new interface comes up
+# Written by LaMont Jones <lamont@debian.org>
+
+# don't bother to restart postfix when lo is configured.
+if [ "$IFACE" = "lo" ]; then
+ exit 0
+fi
+
+# If /usr isn't mounted yet, silently bail.
+if [ ! -d /usr/lib/postfix ]; then
+ exit 0
+fi
+
+RUNNING=""
+# If master is running, force a queue run to unload any mail that is
+# hanging around. Yes, sendmail is a symlink...
+if [ -f /var/spool/postfix/pid/master.pid ]; then
+ pid=$(sed 's/ //g' /var/spool/postfix/pid/master.pid)
+ exe=$(ls -l /proc/$pid/exe 2>/dev/null | sed 's/.* //;s/.*\///')
+ if [ "X$exe" = "Xmaster" ]; then
+ RUNNING="y"
+ fi
+fi
+
+# start or reload Postfix as needed
+if [ ! -x /sbin/resolvconf ]; then
+ f=/etc/resolv.conf
+ if ! cp $f $(postconf -h queue_directory)$f 2>/dev/null; then
+ exit 0
+ fi
+ if [ -n "$RUNNING" ]; then
+ /etc/init.d/postfix reload >/dev/null 2>&1
+ fi
+fi
+
+# If master is running, force a queue run to unload any mail that is
+# hanging around. Yes, sendmail is a symlink...
+if [ -n "$RUNNING" ]; then
+ if [ -x /usr/sbin/sendmail ]; then
+ /usr/sbin/sendmail -q >/dev/null 2>&1
+ fi
+fi
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
+postfix:x:105:111::/var/spool/postfix:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
+postfix:x:105:111::/var/spool/postfix:/bin/false
--- /dev/null
+acl
+acpi
+acpi-support-base
+acpid
+adduser
+apt
+apt-utils
+aptitude
+base-files
+base-passwd
+bash
+bash-completion
+bc
+bind9-host
+binutils
+bsdmainutils
+bsdutils
+busybox
+bzip2
+ca-certificates
+chrony
+colordiff
+console-data
+console-setup
+coreutils
+cpio
+cron
+dash
+dc
+ddate
+debconf
+debconf-i18n
+debian-archive-keyring
+debianutils
+diffutils
+discover
+dmidecode
+dmsetup
+dnsutils
+dpkg
+e2fslibs
+e2fsprogs
+eject
+fail2ban
+figlet
+file
+findutils
+fortunes
+fortunes-bofh-excuses
+fortunes-de
+fortunes-min
+ftp
+gcc-4.8-base
+gcc-4.9-base
+geoip-bin
+git
+git-email
+gnupg
+gpgv
+grep
+groff-base
+grub-common
+grub-pc
+gzip
+haveged
+heirloom-mailx
+hostname
+ifupdown
+init
+init-system-helpers
+initramfs-tools
+initscripts
+insserv
+installation-report
+iproute2
+iptables
+iputils-ping
+isc-dhcp-client
+isc-dhcp-common
+iso-codes
+isoquery
+keyboard-configuration
+kmod
+laptop-detect
+less
+libacl1
+libapt-inst1.5
+libapt-pkg4.12
+libattr1
+libaudit-common
+libaudit1
+libauthen-sasl-perl
+libblkid1
+libboost-iostreams1.55.0
+libbz2-1.0
+libc-bin
+libc6
+libcap2
+libcap2-bin
+libcomerr2
+libcryptsetup4
+libdb5.3
+libdebconfclient0
+libdevmapper1.02.1
+libdns-export100
+libestr0
+libffi6
+libfile-checktree-perl
+libgcc1
+libgcrypt20
+libgdbm3
+libgmp10
+libgnutls-deb0-28
+libgnutls-openssl27
+libgpg-error0
+libhogweed2
+libicu52
+libidn11
+libirs-export91
+libisc-export95
+libisccfg-export90
+libjson-c2
+libkmod2
+liblocale-gettext-perl
+liblogging-stdlog0
+liblognorm1
+liblzma5
+libmnl0
+libmount1
+libncurses5
+libncursesw5
+libnetfilter-acct1
+libnettle4
+libnewt0.52
+libnfnetlink0
+libp11-kit0
+libpam-modules
+libpam-modules-bin
+libpam-runtime
+libpam0g
+libparted-i18n
+libpcre3
+libpipeline1
+libpopt0
+libprocps3
+libpsl0
+libreadline6
+libsasl2-modules
+libselinux1
+libsemanage-common
+libsemanage1
+libsepol1
+libsigc++-2.0-0c2a
+libslang2
+libsmartcols1
+libss2
+libssl1.0.0
+libstdc++6
+libsystemd0
+libtasn1-6
+libterm-readline-gnu-perl
+libtext-charwidth-perl
+libtext-iconv-perl
+libtext-wrapi18n-perl
+libtinfo5
+libudev1
+libusb-0.1-4
+libustr-1.0-1
+libuuid1
+libxtables10
+linux-image-amd64
+locales
+login
+logrotate
+lsb-base
+lsb-release
+lsof
+lvm2
+make
+man-db
+manpages
+mawk
+mime-support
+mount
+multiarch-support
+nano
+ncurses-base
+ncurses-bin
+net-tools
+netbase
+netcat-traditional
+nfacct
+openssh-client
+openssl-blacklist
+parted
+passwd
+patch
+pciutils
+perl
+perl-base
+perl-doc
+perl-modules
+postfix
+postfix-pcre
+procmail
+procps
+psmisc
+python
+python-pyinotify
+readline-common
+rsync
+rsyslog
+sed
+sensible-utils
+shared-mime-info
+startpar
+strace
+systemd
+sysv-rc
+sysvinit-core
+sysvinit-utils
+tar
+task-english
+task-ssh-server
+tasksel
+tasksel-data
+thin-provisioning-tools
+time
+traceroute
+tzdata
+udev
+usbutils
+util-linux
+vim
+vim-common
+vim-tiny
+wget
+whiptail
+whois
+xz-utils
+zlib1g
--- /dev/null
+# Postfix dynamic maps configuration file.
+#
+#type location of .so file open function (mkmap func)
+#==== ================================ ============= ============
+tcp /usr/lib/postfix/dict_tcp.so dict_tcp_open
+sqlite /usr/lib/postfix/dict_sqlite.so dict_sqlite_open
+pcre /usr/lib/postfix/dict_pcre.so dict_pcre_open
--- /dev/null
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+
+
+# Debian specific: Specifying a file name will cause the first
+# line of that file to be used as the name. The Debian default
+# is /etc/mailname.
+#myorigin = /etc/mailname
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = yes
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# TLS parameters
+smtpd_tls_cert_file = /etc/postfix/postfix.pem
+smtpd_tls_key_file = /etc/postfix/postfix.pem
+smtpd_use_tls=yes
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# information on enabling SSL in the smtp client.
+
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+myhostname = ns2.uhu-banane.de
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+myorigin = /etc/mailname
+mydestination = ns2.uhu-banane.de, ns2.brehm-online.com, localhost.uhu-banane.de, localhost
+relayhost = [mail.brehm-online.com]
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 162.254.24.33
+mailbox_command = procmail -a "$EXTENSION"
+mailbox_size_limit = 0
+recipient_delimiter = +
+# inet_interfaces = loopback-only
+inet_protocols = ipv4
+mydomain = uhu-banane.de
+smtp_sasl_auth_enable = yes
+smtp_sasl_password_maps = hash:/etc/postfix/smtp_auth
+smtp_sasl_security_options = noanonymous
+smtp_tls_cert_file = /etc/postfix/postfix.pem
+smtp_tls_enforce_peername = no
+smtp_tls_key_file = /etc/postfix/postfix.pem
+smtp_use_tls = yes
+smtpd_sasl_auth_enable = yes
+smtpd_sasl_local_domain = $myhostname
+smtpd_sasl_security_options = noanonymous
+smtpd_tls_loglevel = 1
+smtpd_tls_received_header = yes
+smtpd_tls_session_cache_timeout = 3600s
+unknown_local_recipient_reject_code = 550
--- /dev/null
+#
+# Postfix master process configuration file. For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master" or
+# on-line: http://www.postfix.org/master.5.html).
+#
+# Do not forget to execute "postfix reload" after editing this file.
+#
+# ==========================================================================
+# service type private unpriv chroot wakeup maxproc command + args
+# (yes) (yes) (yes) (never) (100)
+# ==========================================================================
+smtp inet n - - - - smtpd
+#smtp inet n - - - 1 postscreen
+#smtpd pass - - - - - smtpd
+#dnsblog unix - - - - 0 dnsblog
+#tlsproxy unix - - - - 0 tlsproxy
+#submission inet n - - - - smtpd
+# -o syslog_name=postfix/submission
+# -o smtpd_tls_security_level=encrypt
+# -o smtpd_sasl_auth_enable=yes
+# -o smtpd_reject_unlisted_recipient=no
+# -o smtpd_client_restrictions=$mua_client_restrictions
+# -o smtpd_helo_restrictions=$mua_helo_restrictions
+# -o smtpd_sender_restrictions=$mua_sender_restrictions
+# -o smtpd_recipient_restrictions=
+# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+# -o milter_macro_daemon_name=ORIGINATING
+#smtps inet n - - - - smtpd
+# -o syslog_name=postfix/smtps
+# -o smtpd_tls_wrappermode=yes
+# -o smtpd_sasl_auth_enable=yes
+# -o smtpd_reject_unlisted_recipient=no
+# -o smtpd_client_restrictions=$mua_client_restrictions
+# -o smtpd_helo_restrictions=$mua_helo_restrictions
+# -o smtpd_sender_restrictions=$mua_sender_restrictions
+# -o smtpd_recipient_restrictions=
+# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+# -o milter_macro_daemon_name=ORIGINATING
+#628 inet n - - - - qmqpd
+pickup unix n - - 60 1 pickup
+cleanup unix n - - - 0 cleanup
+qmgr unix n - n 300 1 qmgr
+#qmgr unix n - n 300 1 oqmgr
+tlsmgr unix - - - 1000? 1 tlsmgr
+rewrite unix - - - - - trivial-rewrite
+bounce unix - - - - 0 bounce
+defer unix - - - - 0 bounce
+trace unix - - - - 0 bounce
+verify unix - - - - 1 verify
+flush unix n - - 1000? 0 flush
+proxymap unix - - n - - proxymap
+proxywrite unix - - n - 1 proxymap
+smtp unix - - - - - smtp
+relay unix - - - - - smtp
+# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+showq unix n - - - - showq
+error unix - - - - - error
+retry unix - - - - - error
+discard unix - - - - - discard
+local unix - n n - - local
+virtual unix - n n - - virtual
+lmtp unix - - - - - lmtp
+anvil unix - - - - 1 anvil
+scache unix - - - - 1 scache
+#
+# ====================================================================
+# Interfaces to non-Postfix software. Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent. See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+#
+# maildrop. See the Postfix MAILDROP_README file for details.
+# Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
+maildrop unix - n n - - pipe
+ flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+#
+# ====================================================================
+#
+# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
+#
+# Specify in cyrus.conf:
+# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
+#
+# Specify in main.cf one or more of the following:
+# mailbox_transport = lmtp:inet:localhost
+# virtual_transport = lmtp:inet:localhost
+#
+# ====================================================================
+#
+# Cyrus 2.1.5 (Amos Gouaux)
+# Also specify in main.cf: cyrus_destination_recipient_limit=1
+#
+#cyrus unix - n n - - pipe
+# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
+#
+# ====================================================================
+# Old example of delivery via Cyrus.
+#
+#old-cyrus unix - n n - - pipe
+# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
+#
+# ====================================================================
+#
+# See the Postfix UUCP_README file for configuration details.
+#
+uucp unix - n n - - pipe
+ flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+#
+# Other external delivery methods.
+#
+ifmail unix - n n - - pipe
+ flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+bsmtp unix - n n - - pipe
+ flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
+scalemail-backend unix - n n - 2 pipe
+ flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
+mailman unix - n n - - pipe
+ flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
+ ${nexthop} ${user}
+
--- /dev/null
+#! /bin/sh
+#
+# This is a short script to quickly generate a self-signed X.509 key for
+# Postfix over SSL. Normally this script would get called by an automatic
+# package installation routine.
+
+test -x /usr/bin/openssl || exit 0
+
+prefix="/usr"
+pemfile="/etc/postfix/postfix.pem"
+randfile="/etc/postfix/postfix.rand"
+conffile="/etc/postfix/postfix-cert.cnf"
+
+if [ -f $pemfile ]; then
+ echo "$pemfile already exists."
+ exit 1
+fi
+
+if [ ! -f $conffile ] ; then
+ echo "$conffile does not exists!"
+ exit 2
+fi
+
+cp /dev/null $pemfile
+chmod 600 $pemfile
+chown root $pemfile
+
+cleanup() {
+ rm -f $pemfile
+ rm -f $randfile
+ exit 1
+}
+
+dd if=/dev/urandom of=$randfile count=1 2>/dev/null
+/usr/bin/openssl req -new -x509 -days 3650 -nodes \
+ -config $conffile -out $pemfile -keyout $pemfile || cleanup
+/usr/bin/openssl gendh -rand $randfile 512 >> $pemfile || cleanup
+/usr/bin/openssl x509 -subject -dates -fingerprint -noout -in $pemfile || cleanup
+rm -f $randfile
+
--- /dev/null
+#!/bin/sh
+
+# To view the formatted manual page of this file, type:
+# POSTFIXSOURCE/mantools/srctoman - post-install | nroff -man
+
+#++
+# NAME
+# post-install
+# SUMMARY
+# Postfix post-installation script
+# SYNOPSIS
+# postfix post-install [name=value] command ...
+# DESCRIPTION
+# The post-install script performs the finishing touch of a Postfix
+# installation, after the executable programs and configuration
+# files are installed. Usage is one of the following:
+# .IP o
+# While installing Postfix from source code on the local machine, the
+# script is run by the postfix-install script to update selected file
+# or directory permissions and to update Postfix configuration files.
+# .IP o
+# While installing Postfix from a pre-built package, the script is run
+# by the package management procedure to set all file or directory
+# permissions and to update Postfix configuration files.
+# .IP o
+# The script can be used to change installation parameter settings such
+# as mail_owner or setgid_group after Postfix is already installed.
+# .IP o
+# The script can be used to upgrade configuration files and to upgrade
+# file/directory permissions of a secondary Postfix instance.
+# .IP o
+# At Postfix start-up time, the script is run from "postfix check" to
+# create missing queue directories.
+# .PP
+# The post-install script is controlled by installation parameters.
+# Specific parameters are described at the end of this document.
+# All installation parameters must be specified ahead of time via
+# one of the methods described below.
+#
+# Arguments
+# .IP create-missing
+# Create missing queue directories with ownerships and permissions
+# according to the contents of $daemon_directory/postfix-files
+# and optionally in $daemon_directory/postfix-files.d/*, using
+# the mail_owner and setgid_group parameter settings from the
+# command line, process environment or from the installed
+# main.cf file.
+#
+# This is required at Postfix start-up time.
+# .IP set-permissions
+# Set all file/directory ownerships and permissions according to the
+# contents of $daemon_directory/postfix-files and optionally
+# in $daemon_directory/postfix-files.d/*, using the mail_owner
+# and setgid_group parameter settings from the command line,
+# process environment or from the installed main.cf file.
+# Implies create-missing.
+#
+# This is required when installing Postfix from a pre-built package,
+# or when changing the mail_owner or setgid_group installation parameter
+# settings after Postfix is already installed.
+# .IP upgrade-permissions
+# Update ownership and permission of existing files/directories as
+# specified in $daemon_directory/postfix-files and optionally
+# in $daemon_directory/postfix-files.d/*, using the mail_owner
+# and setgid_group parameter settings from the command line,
+# process environment or from the installed main.cf file.
+# Implies create-missing.
+#
+# This is required when upgrading an existing Postfix instance.
+# .IP upgrade-configuration
+# Edit the installed main.cf and master.cf files, in order to account
+# for missing services and to fix deprecated parameter settings.
+#
+# This is required when upgrading an existing Postfix instance.
+# .IP upgrade-source
+# Short-hand for: upgrade-permissions upgrade-configuration.
+#
+# This is recommended when upgrading Postfix from source code.
+# .IP upgrade-package
+# Short-hand for: set-permissions upgrade-configuration.
+#
+# This is recommended when upgrading Postfix from a pre-built package.
+# .IP first-install-reminder
+# Remind the user that they still need to configure main.cf and the
+# aliases file, and that newaliases still needs to be run.
+#
+# This is recommended when Postfix is installed for the first time.
+# MULTIPLE POSTFIX INSTANCES
+# .ad
+# .fi
+# Multiple Postfix instances on the same machine can share command and
+# daemon program files but must have separate configuration and queue
+# directories.
+#
+# To create a secondary Postfix installation on the same machine,
+# copy the configuration files from the primary Postfix instance to
+# a secondary configuration directory and execute:
+#
+# postfix post-install config_directory=secondary-config-directory \e
+# .in +4
+# queue_directory=secondary-queue-directory \e
+# .br
+# create-missing
+# .PP
+# This creates secondary Postfix queue directories, sets their access
+# permissions, and saves the specified installation parameters to the
+# secondary main.cf file.
+#
+# Be sure to list the secondary configuration directory in the
+# alternate_config_directories parameter in the primary main.cf file.
+#
+# To upgrade a secondary Postfix installation on the same machine,
+# execute:
+#
+# postfix post-install config_directory=secondary-config-directory \e
+# .in +4
+# upgrade-permissions upgrade-configuration
+# INSTALLATION PARAMETER INPUT METHODS
+# .ad
+# .fi
+# Parameter settings can be specified through a variety of
+# mechanisms. In order of decreasing precedence these are:
+# .IP "command line"
+# Parameter settings can be given as name=value arguments on
+# the post-install command line. These have the highest precedence.
+# Settings that override the installed main.cf file are saved.
+# .IP "process environment"
+# Parameter settings can be given as name=value environment
+# variables.
+# Settings that override the installed main.cf file are saved.
+# .IP "installed configuration files"
+# If a parameter is not specified via the command line or via the
+# process environment, post-install will attempt to extract its
+# value from the already installed Postfix main.cf configuration file.
+# These settings have the lowest precedence.
+# INSTALLATION PARAMETER DESCRIPTION
+# .ad
+# .fi
+# The description of installation parameters is as follows:
+# .IP config_directory
+# The directory for Postfix configuration files.
+# .IP daemon_directory
+# The directory for Postfix daemon programs. This directory
+# should not be in the command search path of any users.
+# .IP command_directory
+# The directory for Postfix administrative commands. This
+# directory should be in the command search path of adminstrative users.
+# .IP queue_directory
+# The directory for Postfix queues.
+# .IP data_directory
+# The directory for Postfix writable data files (caches, etc.).
+# .IP sendmail_path
+# The full pathname for the Postfix sendmail command.
+# This is the Sendmail-compatible mail posting interface.
+# .IP newaliases_path
+# The full pathname for the Postfix newaliases command.
+# This is the Sendmail-compatible command to build alias databases
+# for the Postfix local delivery agent.
+# .IP mailq_path
+# The full pathname for the Postfix mailq command.
+# This is the Sendmail-compatible command to list the mail queue.
+# .IP mail_owner
+# The owner of the Postfix queue. Its numerical user ID and group ID
+# must not be used by any other accounts on the system.
+# .IP setgid_group
+# The group for mail submission and for queue management commands.
+# Its numerical group ID must not be used by any other accounts on the
+# system, not even by the mail_owner account.
+# .IP html_directory
+# The directory for the Postfix HTML files.
+# .IP manpage_directory
+# The directory for the Postfix on-line manual pages.
+# .IP sample_directory
+# The directory for the Postfix sample configuration files.
+# This feature is obsolete as of Postfix 2.1.
+# .IP readme_directory
+# The directory for the Postfix README files.
+# SEE ALSO
+# postfix-install(1) Postfix primary installation script.
+# FILES
+# $config_directory/main.cf, Postfix installation parameters.
+# $daemon_directory/postfix-files, installation control file.
+# $daemon_directory/postfix-files.d/*, optional control files.
+# $config_directory/install.cf, obsolete configuration file.
+# LICENSE
+# .ad
+# .fi
+# The Secure Mailer license must be distributed with this software.
+# AUTHOR(S)
+# Wietse Venema
+# IBM T.J. Watson Research
+# P.O. Box 704
+# Yorktown Heights, NY 10598, USA
+#--
+
+umask 022
+
+PATH=/bin:/usr/bin:/usr/sbin:/usr/etc:/sbin:/etc:/usr/contrib/bin:/usr/gnu/bin:/usr/ucb:/usr/bsd
+SHELL=/bin/sh
+IFS="
+"
+BACKUP_IFS="$IFS"
+debug=:
+#debug=echo
+MOST_PARAMETERS="command_directory daemon_directory data_directory
+ html_directory mail_owner mailq_path manpage_directory
+ newaliases_path queue_directory readme_directory sample_directory
+ sendmail_path setgid_group"
+NON_SHARED="config_directory queue_directory data_directory"
+
+USAGE="Usage: $0 [name=value] command
+ create-missing Create missing queue directories.
+ upgrade-source When installing or upgrading from source code.
+ upgrade-package When installing or upgrading from pre-built package.
+ first-install-reminder Remind of mandatory first-time configuration steps.
+ name=value Specify an installation parameter".
+
+# Process command-line options and parameter settings. Work around
+# brain damaged shells. "IFS=value command" should not make the
+# IFS=value setting permanent. But some broken standard allows it.
+
+create=; set_perms=; upgrade_perms=; upgrade_conf=; first_install_reminder=
+obsolete=; keep_list=;
+
+for arg
+do
+ case $arg in
+ *=*) IFS= eval $arg; IFS="$BACKUP_IFS";;
+ create-missing) create=1;;
+ set-perm*) create=1; set_perms=1;;
+ upgrade-perm*) create=1; upgrade_perms=1;;
+ upgrade-conf*) upgrade_conf=1;;
+ upgrade-source) create=1; upgrade_conf=1; upgrade_perms=1;;
+ upgrade-package) create=1; upgrade_conf=1; set_perms=1;;
+ first-install*) first_install_reminder=1;;
+ *) echo "$0: Error: $USAGE" 1>&2; exit 1;;
+ esac
+ shift
+done
+
+# Sanity checks.
+
+test -n "$create$upgrade_conf$first_install_reminder" || {
+ echo "$0: Error: $USAGE" 1>&2
+ exit 1
+}
+
+# Bootstrapping problem.
+
+if [ -n "$command_directory" ]
+then
+ POSTCONF="$command_directory/postconf"
+else
+ POSTCONF="postconf"
+fi
+
+$POSTCONF -d mail_version >/dev/null 2>/dev/null || {
+ echo $0: Error: no $POSTCONF command found. 1>&2
+ echo Re-run this command as $0 command_directory=/some/where. 1>&2
+ exit 1
+}
+
+# Also used to require license etc. files only in the default instance.
+
+def_config_directory=`$POSTCONF -d -h config_directory` || exit 1
+test -n "$config_directory" ||
+ config_directory="$def_config_directory"
+
+test -d "$config_directory" || {
+ echo $0: Error: $config_directory is not a directory. 1>&2
+ exit 1
+}
+
+# If this is a secondary instance, don't touch shared files.
+# XXX Solaris does not have "test -e".
+
+instances=`test ! -f $def_config_directory/main.cf ||
+ $POSTCONF -c $def_config_directory -h multi_instance_directories |
+ sed 's/,/ /'` || exit 1
+
+update_shared_files=1
+for name in $instances
+do
+ case "$name" in
+ "$def_config_directory") ;;
+ "$config_directory") update_shared_files=; break;;
+ esac
+done
+
+test -f $daemon_directory/postfix-files || {
+ echo $0: Error: $daemon_directory/postfix-files is not a file. 1>&2
+ exit 1
+}
+
+# SunOS5 fmt(1) truncates lines > 1000 characters.
+
+fake_fmt() {
+ sed '
+ :top
+ /^\( *\)\([^ ][^ ]*\) */{
+ s//\1\2\
+\1/
+ P
+ D
+ b top
+ }
+ ' | fmt
+}
+
+case `uname -s` in
+HP-UX*) FMT=cat;;
+SunOS*) FMT=fake_fmt;;
+ *) FMT=fmt;;
+esac
+
+# If a parameter is not set via the command line or environment,
+# try to use settings from installed configuration files.
+
+# Extract parameter settings from the obsolete install.cf file, as
+# a transitional aid.
+
+grep setgid_group $config_directory/main.cf >/dev/null 2>&1 || {
+ test -f $config_directory/install.cf && {
+ for name in sendmail_path newaliases_path mailq_path setgid manpages
+ do
+ eval junk=\$$name
+ case "$junk" in
+ "") eval unset $name;;
+ esac
+ eval : \${$name="\`. $config_directory/install.cf; echo \$$name\`"} \
+ || exit 1
+ done
+ : ${setgid_group=$setgid}
+ : ${manpage_directory=$manpages}
+ }
+}
+
+# Extract parameter settings from the installed main.cf file.
+
+test -f $config_directory/main.cf && {
+ for name in $MOST_PARAMETERS
+ do
+ eval junk=\$$name
+ case "$junk" in
+ "") eval unset $name;;
+ esac
+ eval : \${$name=\`$POSTCONF -c $config_directory -h $name\`} || exit 1
+ done
+}
+
+# Sanity checks
+
+case $manpage_directory in
+ no) echo $0: Error: manpage_directory no longer accepts \"no\" values. 1>&2
+ echo Try again with \"$0 manpage_directory=/pathname ...\". 1>&2; exit 1;;
+esac
+
+case $setgid_group in
+ no) echo $0: Error: setgid_group no longer accepts \"no\" values. 1>&2
+ echo Try again with \"$0 setgid_group=groupname ...\" 1>&2; exit 1;;
+esac
+
+for path in "$daemon_directory" "$command_directory" "$queue_directory" \
+ "$sendmail_path" "$newaliases_path" "$mailq_path" "$manpage_directory"
+do
+ case "$path" in
+ /*) ;;
+ *) echo $0: Error: \"$path\" should be an absolute path name. 1>&2; exit 1;;
+ esac
+done
+
+for path in "$html_directory" "$readme_directory"
+do
+ case "$path" in
+ /*) ;;
+ no) ;;
+ *) echo $0: Error: \"$path\" should be \"no\" or an absolute path name. 1>&2; exit 1;;
+ esac
+done
+
+# Find out what parameters were not specified via command line,
+# via environment, or via installed configuration files.
+
+missing=
+for name in $MOST_PARAMETERS
+do
+ eval test -n \"\$$name\" || missing="$missing $name"
+done
+
+# All parameters must be specified at this point.
+
+test -n "$non_interactive" -a -n "$missing" && {
+ cat <<EOF | ${FMT} 1>&2
+$0: Error: some required installation parameters are not defined.
+
+- Either the parameters need to be given in the $config_directory/main.cf
+file from a recent Postfix installation,
+
+- Or the parameters need to be specified through the process
+environment.
+
+- Or the parameters need to be specified as name=value arguments
+on the $0 command line,
+
+The following parameters were missing:
+
+ $missing
+
+EOF
+ exit 1
+}
+
+POSTCONF="$command_directory/postconf"
+
+# Save settings, allowing command line/environment override.
+
+override=
+for name in $MOST_PARAMETERS
+do
+ eval test \"\$$name\" = \"`$POSTCONF -c $config_directory -h $name`\" || {
+ override=1
+ break
+ }
+done
+
+test -n "$override" && {
+ $POSTCONF -c $config_directory -e \
+ "daemon_directory = $daemon_directory" \
+ "command_directory = $command_directory" \
+ "queue_directory = $queue_directory" \
+ "data_directory = $data_directory" \
+ "mail_owner = $mail_owner" \
+ "setgid_group = $setgid_group" \
+ "sendmail_path = $sendmail_path" \
+ "mailq_path = $mailq_path" \
+ "newaliases_path = $newaliases_path" \
+ "html_directory = $html_directory" \
+ "manpage_directory = $manpage_directory" \
+ "sample_directory = $sample_directory" \
+ "readme_directory = $readme_directory" \
+ || exit 1
+}
+
+# Use file/directory status information in $daemon_directory/postfix-files.
+
+test -n "$create" && {
+ postfix_files_d=$daemon_directory/postfix-files.d
+ for postfix_file in $daemon_directory/postfix-files \
+ `test -d $postfix_files_d && { find $postfix_files_d -type f | sort; }`
+ do
+ exec <$postfix_file || exit 1
+ while IFS=: read path type owner group mode flags junk
+ do
+ IFS="$BACKUP_IFS"
+ set_permission=
+ # Skip comments. Skip shared files, if updating a secondary instance.
+ case $path in
+ [$]*) case "$update_shared_files" in
+ 1) $debug keep non-shared or shared $path;;
+ *) non_shared=
+ for name in $NON_SHARED
+ do
+ case $path in
+ "\$$name"*) non_shared=1; break;;
+ esac
+ done
+ case "$non_shared" in
+ 1) $debug keep non-shared $path;;
+ *) $debug skip shared $path; continue;;
+ esac;;
+ esac;;
+ *) continue;;
+ esac
+ # Skip hard links and symbolic links.
+ case $type in
+ [hl]) continue;;
+ [df]) ;;
+ *) echo unknown type $type for $path in $postfix_file 1>&2; exit 1;;
+ esac
+ # Expand $name, and canonicalize null fields.
+ for name in path owner group flags
+ do
+ eval junk=\${$name}
+ case $junk in
+ [$]*) eval $name=$junk;;
+ -) eval $name=;;
+ *) ;;
+ esac
+ done
+ # Skip uninstalled files.
+ case $path in
+ no|no/*) continue;;
+ esac
+ # Pick up the flags.
+ case $flags in *u*) upgrade_flag=1;; *) upgrade_flag=;; esac
+ case $flags in *c*) create_flag=1;; *) create_flag=;; esac
+ case $flags in *r*) recursive="-R";; *) recursive=;; esac
+ case $flags in *o*) obsolete_flag=1;; *) obsolete_flag=;; esac
+ case $flags in *[1i]*) test ! -r "$path" -a "$config_directory" != \
+ "$def_config_directory" && continue;; esac
+ # Flag obsolete objects. XXX Solaris 2..9 does not have "test -e".
+ if [ -n "$obsolete_flag" ]
+ then
+ test -r $path -a "$type" != "d" && obsolete="$obsolete $path"
+ continue;
+ else
+ keep_list="$keep_list $path"
+ fi
+ # Create missing directories with proper owner/group/mode settings.
+ if [ -n "$create" -a "$type" = "d" -a -n "$create_flag" -a ! -d "$path" ]
+ then
+ mkdir $path || exit 1
+ set_permission=1
+ # Update all owner/group/mode settings.
+ elif [ -n "$set_perms" ]
+ then
+ set_permission=1
+ # Update obsolete owner/group/mode settings.
+ elif [ -n "$upgrade_perms" -a -n "$upgrade_flag" ]
+ then
+ set_permission=1
+ fi
+ test -n "$set_permission" && {
+ chown $recursive $owner $path || exit 1
+ test -z "$group" || chgrp $recursive $group $path || exit 1
+ # Don't "chmod -R"; queue file status is encoded in mode bits.
+ if [ "$type" = "d" -a -n "$recursive" ]
+ then
+ find $path -type d -exec chmod $mode "{}" ";"
+ else
+ chmod $mode $path
+ fi || exit 1
+ }
+ done
+ IFS="$BACKUP_IFS"
+ done
+}
+
+# Upgrade existing Postfix configuration files if necessary.
+
+test -n "$upgrade_conf" && {
+
+ # Postfix 2.0.
+ # Add missing relay service to master.cf.
+
+ grep '^relay' $config_directory/master.cf >/dev/null || {
+ echo Editing $config_directory/master.cf, adding missing entry for relay service
+ cat >>$config_directory/master.cf <<EOF || exit 1
+relay unix - - n - - smtp
+EOF
+ }
+
+ # Postfix 1.1.
+ # Add missing flush service to master.cf.
+
+ grep '^flush.*flush' $config_directory/master.cf >/dev/null || {
+ echo Editing $config_directory/master.cf, adding missing entry for flush service
+ cat >>$config_directory/master.cf <<EOF || exit 1
+flush unix - - n 1000? 0 flush
+EOF
+ }
+
+ # Postfix 2.1.
+ # Add missing trace service to master.cf.
+
+ grep 'trace.*bounce' $config_directory/master.cf >/dev/null || {
+ echo Editing $config_directory/master.cf, adding missing entry for trace service
+ cat >>$config_directory/master.cf <<EOF || exit 1
+trace unix - - n - 0 bounce
+EOF
+ }
+
+ # Postfix 2.1.
+ # Add missing verify service to master.cf.
+
+ grep '^verify.*verify' $config_directory/master.cf >/dev/null || {
+ echo Editing $config_directory/master.cf, adding missing entry for verify service
+ cat >>$config_directory/master.cf <<EOF || exit 1
+verify unix - - n - 1 verify
+EOF
+ }
+
+ # Postfix 2.1.
+ # Fix verify service process limit.
+
+ grep '^verify.*[ ]0[ ]*verify' \
+ $config_directory/master.cf >/dev/null && {
+ echo Editing $config_directory/master.cf, setting verify process limit to 1
+ ed $config_directory/master.cf <<EOF || exit 1
+/^verify.*[ ]0[ ]*verify/
+s/\([ ]\)0\([ ]\)/\11\2/
+p
+w
+q
+EOF
+ }
+
+ # Postfix 1.1.
+ # Change privileged pickup service into unprivileged.
+
+ grep "^pickup[ ]*fifo[ ]*n[ ]*n" \
+ $config_directory/master.cf >/dev/null && {
+ echo Editing $config_directory/master.cf, making the pickup service unprivileged
+ ed $config_directory/master.cf <<EOF || exit 1
+/^pickup[ ]*fifo[ ]*n[ ]*n/
+s/\(n[ ]*\)n/\1-/
+p
+w
+q
+EOF
+ }
+
+ # Postfix 1.1.
+ # Change private cleanup and flush services into public.
+
+ for name in cleanup flush
+ do
+ grep "^$name[ ]*unix[ ]*[-y]" \
+ $config_directory/master.cf >/dev/null && {
+ echo Editing $config_directory/master.cf, making the $name service public
+ ed $config_directory/master.cf <<EOF || exit 1
+/^$name[ ]*unix[ ]*[-y]/
+s/[-y]/n/
+p
+w
+q
+EOF
+ }
+ done
+
+ # Postfix 2.2.
+ # File systems have improved since Postfix came out, and all we
+ # require now is that defer and deferred are hashed because those
+ # can contain lots of files.
+
+ found=`$POSTCONF -c $config_directory -h hash_queue_names`
+ missing=
+ (echo "$found" | grep defer >/dev/null) || missing="$missing defer"
+ (echo "$found" | grep deferred>/dev/null)|| missing="$missing deferred"
+ test -n "$missing" && {
+ echo fixing main.cf hash_queue_names for missing $missing
+ $POSTCONF -c $config_directory -e hash_queue_names="$found$missing" ||
+ exit 1
+ }
+
+ # Turn on safety nets for new features that could bounce mail that
+ # would be accepted by a previous Postfix version.
+
+ # [The "unknown_local_recipient_reject_code = 450" safety net,
+ # introduced with Postfix 2.0 and deleted after Postfix 2.3.]
+
+ # Postfix 2.0.
+ # Add missing proxymap service to master.cf.
+
+ grep '^proxymap.*proxymap' $config_directory/master.cf >/dev/null || {
+ echo Editing $config_directory/master.cf, adding missing entry for proxymap service
+ cat >>$config_directory/master.cf <<EOF || exit 1
+proxymap unix - - n - - proxymap
+EOF
+ }
+
+ # Postfix 2.1.
+ # Add missing anvil service to master.cf.
+
+ grep '^anvil.*anvil' $config_directory/master.cf >/dev/null || {
+ echo Editing $config_directory/master.cf, adding missing entry for anvil service
+ cat >>$config_directory/master.cf <<EOF || exit 1
+anvil unix - - n - 1 anvil
+EOF
+ }
+
+ # Postfix 2.2.
+ # Add missing scache service to master.cf.
+
+ grep '^scache.*scache' $config_directory/master.cf >/dev/null || {
+ echo Editing $config_directory/master.cf, adding missing entry for scache service
+ cat >>$config_directory/master.cf <<EOF || exit 1
+scache unix - - n - 1 scache
+EOF
+ }
+
+ # Postfix 2.2.
+ # Add missing discard service to master.cf.
+
+ grep '^discard.*discard' $config_directory/master.cf >/dev/null || {
+ echo Editing $config_directory/master.cf, adding missing entry for discard service
+ cat >>$config_directory/master.cf <<EOF || exit 1
+discard unix - - n - - discard
+EOF
+ }
+
+ # Postfix 2.2.
+ # Update the tlsmgr fifo->unix service.
+
+ grep "^tlsmgr[ ]*fifo[ ]" \
+ $config_directory/master.cf >/dev/null && {
+ echo Editing $config_directory/master.cf, updating the tlsmgr from fifo to unix service
+ ed $config_directory/master.cf <<EOF || exit 1
+/^tlsmgr[ ]*fifo[ ]/
+s/fifo/unix/
+s/[0-9][0-9]*/&?/
+p
+w
+q
+EOF
+ }
+
+ # Postfix 2.2.
+ # Add missing tlsmgr service to master.cf.
+
+ grep '^tlsmgr.*tlsmgr' $config_directory/master.cf >/dev/null || {
+ echo Editing $config_directory/master.cf, adding missing entry for tlsmgr service
+ cat >>$config_directory/master.cf <<EOF || exit 1
+tlsmgr unix - - n 1000? 1 tlsmgr
+EOF
+ }
+
+ # Postfix 2.2.
+ # Add missing retry service to master.cf.
+
+ grep '^retry.*error' $config_directory/master.cf >/dev/null || {
+ echo Editing $config_directory/master.cf, adding missing entry for retry service
+ cat >>$config_directory/master.cf <<EOF || exit 1
+retry unix - - n - - error
+EOF
+ }
+
+ # Postfix 2.5.
+ # Add missing proxywrite service to master.cf.
+
+ grep '^proxywrite.*proxymap' $config_directory/master.cf >/dev/null || {
+ echo Editing $config_directory/master.cf, adding missing entry for proxywrite service
+ cat >>$config_directory/master.cf <<EOF || exit 1
+proxywrite unix - - n - 1 proxymap
+EOF
+ }
+
+ # Postfix 2.5.
+ # Fix a typo in the default master.cf proxywrite entry.
+
+ grep '^proxywrite.*-[ ]*proxymap' $config_directory/master.cf >/dev/null && {
+ echo Editing $config_directory/master.cf, setting proxywrite process limit to 1
+ ed $config_directory/master.cf <<EOF || exit 1
+/^proxywrite.*-[ ]*proxymap/
+s/-\([ ]*proxymap\)/1\1/
+p
+w
+q
+EOF
+ }
+
+ # Postfix 2.8.
+ # Add missing postscreen service to master.cf.
+
+ grep '^#*smtp.*postscreen' $config_directory/master.cf >/dev/null || {
+ echo Editing $config_directory/master.cf, adding missing entry for postscreen TCP service
+ cat >>$config_directory/master.cf <<EOF || exit 1
+#smtp inet n - n - 1 postscreen
+EOF
+ }
+
+ # Postfix 2.8.
+ # Add missing smtpd (unix-domain) service to master.cf.
+
+ grep '^#*smtpd.*smtpd' $config_directory/master.cf >/dev/null || {
+ echo Editing $config_directory/master.cf, adding missing entry for smtpd unix-domain service
+ cat >>$config_directory/master.cf <<EOF || exit 1
+#smtpd pass - - n - - smtpd
+EOF
+ }
+
+ # Postfix 2.8.
+ # Add temporary dnsblog (unix-domain) service to master.cf.
+
+ grep '^#*dnsblog.*dnsblog' $config_directory/master.cf >/dev/null || {
+ echo Editing $config_directory/master.cf, adding missing entry for dnsblog unix-domain service
+ cat >>$config_directory/master.cf <<EOF || exit 1
+#dnsblog unix - - n - 0 dnsblog
+EOF
+ }
+
+ # Postfix 2.8.
+ # Add tlsproxy (unix-domain) service to master.cf.
+
+ grep '^#*tlsproxy.*tlsproxy' $config_directory/master.cf >/dev/null || {
+ echo Editing $config_directory/master.cf, adding missing entry for tlsproxy unix-domain service
+ cat >>$config_directory/master.cf <<EOF || exit 1
+#tlsproxy unix - - n - 0 tlsproxy
+EOF
+ }
+
+ # Report (but do not remove) obsolete files.
+
+ test -n "$obsolete" && {
+ cat <<EOF | ${FMT}
+
+ Note: the following files or directories still exist but are
+ no longer part of Postfix:
+
+ $obsolete
+
+EOF
+ }
+
+ # Postfix 2.9.
+ # Safety net for incompatible changes in IPv6 defaults.
+ # PLEASE DO NOT REMOVE THIS CODE. ITS PURPOSE IS TO AVOID AN
+ # UNEXPECTED DROP IN PERFORMANCE AFTER UPGRADING FROM POSTFIX
+ # BEFORE 2.9.
+ # This code assumes that the default is "inet_protocols = ipv4"
+ # when IPv6 support is not compiled in. See util/sys_defs.h.
+
+ test "`$POSTCONF -dh inet_protocols`" = "ipv4" ||
+ test -n "`$POSTCONF -c $config_directory -n inet_protocols`" || {
+ cat <<EOF | ${FMT}
+ COMPATIBILITY: editing $config_directory/main.cf, setting
+ inet_protocols=ipv4. Specify inet_protocols explicitly if you
+ want to enable IPv6.
+ In a future release IPv6 will be enabled by default.
+EOF
+ $POSTCONF -c $config_directory inet_protocols=ipv4 || exit 1
+ }
+
+# Disabled because unhelpful down-stream maintainers disable the safety net.
+# # Postfix 2.10.
+# # Safety net for incompatible changes due to the introduction
+# # of the smtpd_relay_restrictions feature to separate the
+# # mail relay policy from the spam blocking policy.
+# # PLEASE DO NOT REMOVE THIS CODE. ITS PURPOSE IS TO PREVENT
+# # INBOUND MAIL FROM UNEXPECTEDLY BOUNCING AFTER UPGRADING FROM
+# # POSTFIX BEFORE 2.10.
+# test -n "`$POSTCONF -c $config_directory -n smtpd_relay_restrictions`" || {
+# cat <<EOF | ${FMT}
+# COMPATIBILITY: editing $config_directory/main.cf, overriding
+# smtpd_relay_restrictions to prevent inbound mail from
+# unexpectedly bouncing.
+# Specify an empty smtpd_relay_restrictions value to keep using
+# smtpd_recipient_restrictions as before.
+#EOF
+# $POSTCONF -c $config_directory "smtpd_relay_restrictions = \
+# permit_mynetworks permit_sasl_authenticated \
+# defer_unauth_destination" || exit 1
+# }
+}
+
+# A reminder if this is the first time Postfix is being installed.
+
+test -n "$first_install_reminder" && {
+
+ ALIASES=`$POSTCONF -c $config_directory -h alias_database | sed 's/^[^:]*://'`
+ NEWALIASES_PATH=`$POSTCONF -c $config_directory -h newaliases_path`
+ cat <<EOF | ${FMT}
+
+ Warning: you still need to edit myorigin/mydestination/mynetworks
+ parameter settings in $config_directory/main.cf.
+
+ See also http://www.postfix.org/STANDARD_CONFIGURATION_README.html
+ for information about dialup sites or about sites inside a
+ firewalled network.
+
+ BTW: Check your $ALIASES file and be sure to set up aliases
+ that send mail for root and postmaster to a real person, then
+ run $NEWALIASES_PATH.
+
+EOF
+
+}
+
+exit 0
--- /dev/null
+
+RANDFILE = /usr/share/postfix.rand
+
+[ req ]
+default_bits = 1024
+encrypt_key = yes
+distinguished_name = req_dn
+x509_extensions = cert_type
+prompt = no
+
+[ req_dn ]
+C=DE
+ST=Berlin
+L=Berlin
+O=Frank Brehm
+OU=Mail Server Postfix SSL key
+CN=ns3.uhu-banane.de
+emailAddress=postmaster@brehm-online.com
+
+
+[ cert_type ]
+nsCertType = server
+
--- /dev/null
+#
+# Do not edit this file.
+#
+# This file controls the postfix-install script for installation of
+# Postfix programs, configuration files and documentation, as well
+# as the post-install script for setting permissions and for updating
+# Postfix configuration files. See the respective manual pages within
+# the script files.
+#
+# Do not list $command_directory in this file, or it will be blown
+# away by a future Postfix uninstallation procedure. You would not
+# want to lose all files in /usr/sbin.
+#
+# Each record in this file describes one file or directory.
+# Fields are separated by ":". Specify a null field as "-".
+# Missing fields or separators at the end are OK.
+#
+# File format:
+# name:type:owner:group:permission:flags
+# No group means don't change group ownership.
+#
+# File types:
+# d=directory
+# f=regular file
+# h=hard link (*)
+# l=symbolic link (*)
+#
+# (*) With hard links and symbolic links, the owner field becomes the
+# source pathname, while the group and permissions are ignored.
+#
+# File flags:
+# No flag means the flag is not active.
+# p=preserve existing file, do not replace (postfix-install).
+# u=update owner/group/mode (post-install upgrade-permissions).
+# c=create missing directory (post-install create-missing).
+# r=apply owner/group recursively (post-install set/upgrade-permissions).
+# o=obsolete, no longer part of Postfix
+# 1=optional for non-default instance (config_dir != built-in default).
+#
+# Note: the "u" flag is for upgrading the permissions of existing files
+# or directories after changes in Postfix architecture. For robustness
+# it is a good idea to "u" all the files that have special ownership or
+# permissions, so that running "make install" fixes any glitches.
+#
+$config_directory:d:root:-:755:u
+$data_directory:d:$mail_owner:-:700:uc
+$daemon_directory:d:root:-:755:u
+$queue_directory:d:root:-:755:uc
+$sample_directory:d:root:-:755:o
+$readme_directory:d:root:-:755
+$html_directory:d:root:-:755
+$queue_directory/active:d:$mail_owner:-:700:ucr
+$queue_directory/bounce:d:$mail_owner:-:700:ucr
+$queue_directory/corrupt:d:$mail_owner:-:700:ucr
+$queue_directory/defer:d:$mail_owner:-:700:ucr
+$queue_directory/deferred:d:$mail_owner:-:700:ucr
+$queue_directory/flush:d:$mail_owner:-:700:ucr
+$queue_directory/hold:d:$mail_owner:-:700:ucr
+$queue_directory/incoming:d:$mail_owner:-:700:ucr
+$queue_directory/private:d:$mail_owner:-:700:uc
+$queue_directory/maildrop:d:$mail_owner:$setgid_group:730:uc
+$queue_directory/public:d:$mail_owner:$setgid_group:710:uc
+$queue_directory/pid:d:root:-:755:uc
+$queue_directory/saved:d:$mail_owner:-:700:ucr
+$queue_directory/trace:d:$mail_owner:-:700:ucr
+$daemon_directory/anvil:f:root:-:755
+$daemon_directory/bounce:f:root:-:755
+$daemon_directory/dict_cdb.so:f:root:-:755
+$daemon_directory/dict_ldap.so:f:root:-:755
+$daemon_directory/dict_pcre.so:f:root:-:755
+$daemon_directory/dict_mysql.so:f:root:-:755
+$daemon_directory/dict_sqlite.so:f:root:-:755
+$daemon_directory/dict_tcp.so:f:root:-:755
+$daemon_directory/dict_sdbm.so:f:root:-:755
+$daemon_directory/cleanup:f:root:-:755
+$daemon_directory/discard:f:root:-:755
+$daemon_directory/dnsblog:f:root:-:755
+$daemon_directory/error:f:root:-:755
+$daemon_directory/flush:f:root:-:755
+#$daemon_directory/lmtp:f:root:-:755
+$daemon_directory/local:f:root:-:755
+$daemon_directory/main.cf:f:root:-:644
+$daemon_directory/master.cf:f:root:-:644
+$daemon_directory/master:f:root:-:755
+$daemon_directory/oqmgr:f:root:-:755
+$daemon_directory/pickup:f:root:-:755
+$daemon_directory/pipe:f:root:-:755
+$daemon_directory/post-install:f:root:-:755
+$daemon_directory/postfix-files:f:root:-:644
+$daemon_directory/postfix-script:f:root:-:755
+$daemon_directory/postfix-wrapper:f:root:-:755
+$daemon_directory/postmulti-script:f:root:-:755
+$daemon_directory/postscreen:f:root:-:755
+$daemon_directory/proxymap:f:root:-:755
+$daemon_directory/qmgr:f:root:-:755
+$daemon_directory/qmqpd:f:root:-:755
+$daemon_directory/scache:f:root:-:755
+$daemon_directory/showq:f:root:-:755
+$daemon_directory/smtp:f:root:-:755
+$daemon_directory/smtpd:f:root:-:755
+$daemon_directory/spawn:f:root:-:755
+$daemon_directory/tlsproxy:f:root:-:755
+$daemon_directory/tlsmgr:f:root:-:755
+$daemon_directory/trivial-rewrite:f:root:-:755
+$daemon_directory/verify:f:root:-:755
+$daemon_directory/virtual:f:root:-:755
+/usr/lib/libpostfix-dns.so.1:f:root:-:755
+/usr/lib/libpostfix-global.so.1:f:root:-:755
+/usr/lib/libpostfix-tls.so.1:f:root:-:755
+/usr/lib/libpostfix-master.so.1:f:root:-:755
+/usr/lib/libpostfix-util.so.1:f:root:-:755
+$daemon_directory/nqmgr:h:$daemon_directory/qmgr
+$daemon_directory/lmtp:h:$daemon_directory/smtp
+$command_directory/postalias:f:root:-:755
+$command_directory/postcat:f:root:-:755
+$command_directory/postconf:f:root:-:755
+$command_directory/postfix:f:root:-:755
+$command_directory/postkick:f:root:-:755
+$command_directory/postlock:f:root:-:755
+$command_directory/postlog:f:root:-:755
+$command_directory/postmap:f:root:-:755
+$command_directory/postmulti:f:root:-:755
+$command_directory/postsuper:f:root:-:755
+$command_directory/postdrop:f:root:$setgid_group:2755:u
+$command_directory/postqueue:f:root:$setgid_group:2755:u
+$sendmail_path:f:root:-:755
+$newaliases_path:l:$sendmail_path
+$mailq_path:l:$sendmail_path
+$config_directory/LICENSE:f:root:-:644:1
+$config_directory/TLS_LICENSE:f:root:-:644:1
+$config_directory/access:f:root:-:644:p1
+$config_directory/aliases:f:root:-:644:p1
+$config_directory/bounce.cf.default:f:root:-:644:1
+$config_directory/canonical:f:root:-:644:p1
+$config_directory/dynamicmaps.cf:f:root:-:644:p1
+$config_directory/cidr_table:f:root:-:644:o
+$config_directory/generic:f:root:-:644:p1
+$config_directory/generics:f:root:-:644:o
+$config_directory/header_checks:f:root:-:644:p1
+$config_directory/install.cf:f:root:-:644:o
+$config_directory/main.cf.default:f:root:-:644:1
+$config_directory/main.cf:f:root:-:644:p
+$config_directory/makedefs.out:f:root:-:644:1
+$config_directory/master.cf:f:root:-:644:p
+$config_directory/pcre_table:f:root:-:644:o
+$config_directory/postfix-files:f:root:-:644:o
+$config_directory/regexp_table:f:root:-:644:o
+$config_directory/relocated:f:root:-:644:p1
+$config_directory/tcp_table:f:root:-:644:o
+$config_directory/transport:f:root:-:644:p1
+$config_directory/virtual:f:root:-:644:p1
+$config_directory/postfix-script:f:root:-:755:o
+$config_directory/postfix-script-sgid:f:root:-:755:o
+$config_directory/postfix-script-nosgid:f:root:-:755:o
+$config_directory/post-install:f:root:-:755:o
+$manpage_directory/man1/mailq.1:f:root:-:644
+$manpage_directory/man1/newaliases.1:f:root:-:644
+$manpage_directory/man1/postalias.1:f:root:-:644
+$manpage_directory/man1/postcat.1:f:root:-:644
+$manpage_directory/man1/postconf.1:f:root:-:644
+$manpage_directory/man1/postdrop.1:f:root:-:644
+$manpage_directory/man1/postfix.1:f:root:-:644
+$manpage_directory/man1/postkick.1:f:root:-:644
+$manpage_directory/man1/postlock.1:f:root:-:644
+$manpage_directory/man1/postlog.1:f:root:-:644
+$manpage_directory/man1/postmap.1:f:root:-:644
+$manpage_directory/man1/postmulti.1:f:root:-:644
+$manpage_directory/man1/postqueue.1:f:root:-:644
+$manpage_directory/man1/postsuper.1:f:root:-:644
+$manpage_directory/man1/sendmail.1:f:root:-:644
+$manpage_directory/man5/access.5:f:root:-:644
+$manpage_directory/man5/aliases.5:f:root:-:644
+$manpage_directory/man5/body_checks.5:f:root:-:644
+$manpage_directory/man5/bounce.5:f:root:-:644
+$manpage_directory/man5/canonical.5:f:root:-:644
+$manpage_directory/man5/cidr_table.5:f:root:-:644
+$manpage_directory/man5/generics.5:f:root:-:644:o
+$manpage_directory/man5/generic.5:f:root:-:644
+$manpage_directory/man5/header_checks.5:f:root:-:644
+$manpage_directory/man5/ldap_table.5:f:root:-:644
+$manpage_directory/man5/lmdb_table.5:f:root:-:644
+$manpage_directory/man5/master.5:f:root:-:644
+$manpage_directory/man5/memcache_table.5:f:root:-:644
+$manpage_directory/man5/mysql_table.5:f:root:-:644
+$manpage_directory/man5/socketmap_table.5:f:root:-:644
+$manpage_directory/man5/sqlite_table.5:f:root:-:644
+$manpage_directory/man5/nisplus_table.5:f:root:-:644
+$manpage_directory/man5/pcre_table.5:f:root:-:644
+$manpage_directory/man5/pgsql_table.5:f:root:-:644
+$manpage_directory/man5/postconf.5:f:root:-:644
+$manpage_directory/man5/postfix-wrapper.5:f:root:-:644
+$manpage_directory/man5/regexp_table.5:f:root:-:644
+$manpage_directory/man5/relocated.5:f:root:-:644
+$manpage_directory/man5/tcp_table.5:f:root:-:644
+$manpage_directory/man5/transport.5:f:root:-:644
+$manpage_directory/man5/virtual.5:f:root:-:644
+$manpage_directory/man8/bounce.8:f:root:-:644
+$manpage_directory/man8/cleanup.8:f:root:-:644
+$manpage_directory/man8/anvil.8:f:root:-:644
+$manpage_directory/man8/defer.8:f:root:-:644
+$manpage_directory/man8/discard.8:f:root:-:644
+$manpage_directory/man8/dnsblog.8:f:root:-:644
+$manpage_directory/man8/error.8:f:root:-:644
+$manpage_directory/man8/flush.8:f:root:-:644
+$manpage_directory/man8/lmtp.8:f:root:-:644
+$manpage_directory/man8/local.8:f:root:-:644
+$manpage_directory/man8/master.8:f:root:-:644
+$manpage_directory/man8/nqmgr.8:f:root:-:644:o
+$manpage_directory/man8/oqmgr.8:f:root:-:644:
+$manpage_directory/man8/pickup.8:f:root:-:644
+$manpage_directory/man8/pipe.8:f:root:-:644
+$manpage_directory/man8/postscreen.8:f:root:-:644
+$manpage_directory/man8/proxymap.8:f:root:-:644
+$manpage_directory/man8/qmgr.8:f:root:-:644
+$manpage_directory/man8/qmqpd.8:f:root:-:644
+$manpage_directory/man8/scache.8:f:root:-:644
+$manpage_directory/man8/showq.8:f:root:-:644
+$manpage_directory/man8/smtp.8:f:root:-:644
+$manpage_directory/man8/smtpd.8:f:root:-:644
+$manpage_directory/man8/spawn.8:f:root:-:644
+$manpage_directory/man8/tlsproxy.8:f:root:-:644
+$manpage_directory/man8/tlsmgr.8:f:root:-:644
+$manpage_directory/man8/trace.8:f:root:-:644
+$manpage_directory/man8/trivial-rewrite.8:f:root:-:644
+$manpage_directory/man8/verify.8:f:root:-:644
+$manpage_directory/man8/virtual.8:f:root:-:644
+$sample_directory/sample-aliases.cf:f:root:-:644:o
+$sample_directory/sample-auth.cf:f:root:-:644:o
+$sample_directory/sample-canonical.cf:f:root:-:644:o
+$sample_directory/sample-compatibility.cf:f:root:-:644:o
+$sample_directory/sample-debug.cf:f:root:-:644:o
+$sample_directory/sample-filter.cf:f:root:-:644:o
+$sample_directory/sample-flush.cf:f:root:-:644:o
+$sample_directory/sample-ipv6.cf:f:root:-:644:o
+$sample_directory/sample-ldap.cf:f:root:-:644:o
+$sample_directory/sample-lmtp.cf:f:root:-:644:o
+$sample_directory/sample-local.cf:f:root:-:644:o
+$sample_directory/sample-mime.cf:f:root:-:644:o
+$sample_directory/sample-misc.cf:f:root:-:644:o
+$sample_directory/sample-pcre-access.cf:f:root:-:644:o
+$sample_directory/sample-pcre-body.cf:f:root:-:644:o
+$sample_directory/sample-pcre-header.cf:f:root:-:644:o
+$sample_directory/sample-pgsql-aliases.cf:f:root:-:644:o
+$sample_directory/sample-qmqpd.cf:f:root:-:644:o
+$sample_directory/sample-rate.cf:f:root:-:644:o
+$sample_directory/sample-regexp-access.cf:f:root:-:644:o
+$sample_directory/sample-regexp-body.cf:f:root:-:644:o
+$sample_directory/sample-regexp-header.cf:f:root:-:644:o
+$sample_directory/sample-relocated.cf:f:root:-:644:o
+$sample_directory/sample-resource.cf:f:root:-:644:o
+$sample_directory/sample-rewrite.cf:f:root:-:644:o
+$sample_directory/sample-scheduler.cf:f:root:-:644:o
+$sample_directory/sample-smtp.cf:f:root:-:644:o
+$sample_directory/sample-smtpd.cf:f:root:-:644:o
+$sample_directory/sample-tls.cf:f:root:-:644:o
+$sample_directory/sample-transport.cf:f:root:-:644:o
+$sample_directory/sample-verify.cf:f:root:-:644:o
+$sample_directory/sample-virtual.cf:f:root:-:644:o
+$readme_directory/AAAREADME:f:root:-:644
+$readme_directory/ADDRESS_CLASS_README:f:root:-:644
+$readme_directory/ADDRESS_REWRITING_README:f:root:-:644
+$readme_directory/ADDRESS_VERIFICATION_README:f:root:-:644
+$readme_directory/BACKSCATTER_README:f:root:-:644
+$readme_directory/BASIC_CONFIGURATION_README:f:root:-:644
+$readme_directory/BUILTIN_FILTER_README:f:root:-:644
+$readme_directory/CDB_README:f:root:-:644
+$readme_directory/CONNECTION_CACHE_README:f:root:-:644
+$readme_directory/CONTENT_INSPECTION_README:f:root:-:644
+$readme_directory/DATABASE_README:f:root:-:644
+$readme_directory/DB_README:f:root:-:644
+$readme_directory/DEBUG_README:f:root:-:644
+$readme_directory/DSN_README:f:root:-:644
+$readme_directory/ETRN_README:f:root:-:644
+$readme_directory/FILTER_README:f:root:-:644
+$readme_directory/FORWARD_SECRECY_README:f:root:-:644
+$readme_directory/HOSTING_README:f:root:-:644:o
+$readme_directory/INSTALL:f:root:-:644
+$readme_directory/IPV6_README:f:root:-:644
+$readme_directory/LDAP_README:f:root:-:644
+$readme_directory/LINUX_README:f:root:-:644
+$readme_directory/LMDB_README:f:root:-:644
+$readme_directory/LOCAL_RECIPIENT_README:f:root:-:644
+$readme_directory/MACOSX_README:f:root:-:644:o
+$readme_directory/MAILDROP_README:f:root:-:644
+$readme_directory/MEMCACHE_README:f:root:-:644
+$readme_directory/MILTER_README:f:root:-:644
+$readme_directory/MULTI_INSTANCE_README:f:root:-:644
+$readme_directory/MYSQL_README:f:root:-:644
+$readme_directory/SQLITE_README:f:root:-:644
+$readme_directory/NFS_README:f:root:-:644
+$readme_directory/OVERVIEW:f:root:-:644
+$readme_directory/PACKAGE_README:f:root:-:644
+$readme_directory/PCRE_README:f:root:-:644
+$readme_directory/PGSQL_README:f:root:-:644
+$readme_directory/POSTSCREEN_README:f:root:-:644
+$readme_directory/QMQP_README:f:root:-:644:o
+$readme_directory/QSHAPE_README:f:root:-:644
+$readme_directory/RELEASE_NOTES:f:root:-:644
+$readme_directory/RESTRICTION_CLASS_README:f:root:-:644
+$readme_directory/SASL_README:f:root:-:644
+$readme_directory/SCHEDULER_README:f:root:-:644
+$readme_directory/SMTPD_ACCESS_README:f:root:-:644
+$readme_directory/SMTPD_POLICY_README:f:root:-:644
+$readme_directory/SMTPD_PROXY_README:f:root:-:644
+$readme_directory/SOHO_README:f:root:-:644
+$readme_directory/STANDARD_CONFIGURATION_README:f:root:-:644
+$readme_directory/STRESS_README:f:root:-:644
+$readme_directory/TLS_LEGACY_README:f:root:-:644
+$readme_directory/TLS_README:f:root:-:644
+$readme_directory/TUNING_README:f:root:-:644
+$readme_directory/ULTRIX_README:f:root:-:644
+$readme_directory/UUCP_README:f:root:-:644
+$readme_directory/VERP_README:f:root:-:644
+$readme_directory/VIRTUAL_README:f:root:-:644
+$readme_directory/XCLIENT_README:f:root:-:644
+$readme_directory/XFORWARD_README:f:root:-:644
+$html_directory/ADDRESS_CLASS_README.html:f:root:-:644
+$html_directory/ADDRESS_REWRITING_README.html:f:root:-:644
+$html_directory/ADDRESS_VERIFICATION_README.html:f:root:-:644
+$html_directory/BACKSCATTER_README.html:f:root:-:644
+$html_directory/BASIC_CONFIGURATION_README.html:f:root:-:644
+$html_directory/BUILTIN_FILTER_README.html:f:root:-:644
+$html_directory/CDB_README.html:f:root:-:644
+$html_directory/CONNECTION_CACHE_README.html:f:root:-:644
+$html_directory/CONTENT_INSPECTION_README.html:f:root:-:644
+$html_directory/CYRUS_README.html:f:root:-:644:o
+$html_directory/DATABASE_README.html:f:root:-:644
+$html_directory/DB_README.html:f:root:-:644
+$html_directory/DEBUG_README.html:f:root:-:644
+$html_directory/DSN_README.html:f:root:-:644
+$html_directory/ETRN_README.html:f:root:-:644
+$html_directory/FILTER_README.html:f:root:-:644
+$html_directory/FORWARD_SECRECY_README.html:f:root:-:644
+$html_directory/INSTALL.html:f:root:-:644
+$html_directory/IPV6_README.html:f:root:-:644
+$html_directory/LDAP_README.html:f:root:-:644
+$html_directory/LINUX_README.html:f:root:-:644
+$html_directory/LMDB_README.html:f:root:-:644
+$html_directory/LOCAL_RECIPIENT_README.html:f:root:-:644
+$html_directory/MAILDROP_README.html:f:root:-:644
+$html_directory/MILTER_README.html:f:root:-:644
+$html_directory/MULTI_INSTANCE_README.html:f:root:-:644
+$html_directory/MYSQL_README.html:f:root:-:644
+$html_directory/SQLITE_README.html:f:root:-:644
+$html_directory/NFS_README.html:f:root:-:644
+$html_directory/OVERVIEW.html:f:root:-:644
+$html_directory/PACKAGE_README.html:f:root:-:644
+$html_directory/PCRE_README.html:f:root:-:644
+$html_directory/PGSQL_README.html:f:root:-:644
+$html_directory/POSTSCREEN_README.html:f:root:-:644
+$html_directory/QMQP_README.html:f:root:-:644:o
+$html_directory/QSHAPE_README.html:f:root:-:644
+$html_directory/RESTRICTION_CLASS_README.html:f:root:-:644
+$html_directory/SASL_README.html:f:root:-:644
+$html_directory/SCHEDULER_README.html:f:root:-:644
+$html_directory/SMTPD_ACCESS_README.html:f:root:-:644
+$html_directory/SMTPD_POLICY_README.html:f:root:-:644
+$html_directory/SMTPD_PROXY_README.html:f:root:-:644
+$html_directory/SOHO_README.html:f:root:-:644
+$html_directory/STANDARD_CONFIGURATION_README.html:f:root:-:644
+$html_directory/STRESS_README.html:f:root:-:644
+$html_directory/TLS_LEGACY_README.html:f:root:-:644
+$html_directory/TLS_README.html:f:root:-:644
+$html_directory/TUNING_README.html:f:root:-:644
+$html_directory/ULTRIX_README.html:f:root:-:644:o
+$html_directory/UUCP_README.html:f:root:-:644
+$html_directory/VERP_README.html:f:root:-:644
+$html_directory/VIRTUAL_README.html:f:root:-:644
+$html_directory/XCLIENT_README.html:f:root:-:644
+$html_directory/XFORWARD_README.html:f:root:-:644
+$html_directory/access.5.html:f:root:-:644
+$html_directory/aliases.5.html:f:root:-:644
+$html_directory/anvil.8.html:f:root:-:644
+$html_directory/bounce.8.html:f:root:-:644
+$html_directory/canonical.5.html:f:root:-:644
+$html_directory/cidr_table.5.html:f:root:-:644
+$html_directory/cleanup.8.html:f:root:-:644
+$html_directory/defer.8.html:h:$html_directory/bounce.8.html:-:644
+$html_directory/discard.8.html:f:root:-:644
+$html_directory/dnsblog.8.html:f:root:-:644
+$html_directory/error.8.html:f:root:-:644
+$html_directory/flush.8.html:f:root:-:644
+$html_directory/generics.5.html:f:root:-:644:o
+$html_directory/generic.5.html:f:root:-:644
+$html_directory/header_checks.5.html:f:root:-:644
+$html_directory/index.html:f:root:-:644
+$html_directory/ldap_table.5.html:f:root:-:644
+$html_directory/lmtp.8.html:f:root:-:644
+$html_directory/local.8.html:f:root:-:644
+$html_directory/mailq.1.html:f:root:-:644
+$html_directory/master.5.html:f:root:-:644
+$html_directory/master.8.html:f:root:-:644
+$html_directory/memcache_table.5.html:f:root:-:644
+$html_directory/mysql_table.5.html:f:root:-:644
+$html_directory/sqlite_table.5.html:f:root:-:644
+$html_directory/nisplus_table.5.html:f:root:-:644
+$html_directory/newaliases.1.html:h:$html_directory/mailq.1.html:-:644
+$html_directory/oqmgr.8.html:f:root:-:644
+$html_directory/pcre_table.5.html:f:root:-:644
+$html_directory/pgsql_table.5.html:f:root:-:644
+$html_directory/pickup.8.html:f:root:-:644
+$html_directory/pipe.8.html:f:root:-:644
+$html_directory/postalias.1.html:f:root:-:644
+$html_directory/postcat.1.html:f:root:-:644
+$html_directory/postconf.1.html:f:root:-:644
+$html_directory/postconf.5.html:f:root:-:644
+$html_directory/postdrop.1.html:f:root:-:644
+$html_directory/postfix-logo.jpg:f:root:-:644
+$html_directory/postfix-manuals.html:f:root:-:644
+$html_directory/postfix-wrapper.5.html:f:root:-:644
+$html_directory/postfix.1.html:f:root:-:644
+$html_directory/postkick.1.html:f:root:-:644
+$html_directory/postlock.1.html:f:root:-:644
+$html_directory/postlog.1.html:f:root:-:644
+$html_directory/postmap.1.html:f:root:-:644
+$html_directory/postmulti.1.html:f:root:-:644
+$html_directory/postqueue.1.html:f:root:-:644
+$html_directory/postscreen.8.html:f:root:-:644
+$html_directory/postsuper.1.html:f:root:-:644
+$html_directory/qshape.1.html:f:root:-:644
+$html_directory/proxymap.8.html:f:root:-:644
+$html_directory/qmgr.8.html:f:root:-:644
+$html_directory/qmqp-sink.1.html:f:root:-:644
+$html_directory/qmqp-source.1.html:f:root:-:644
+$html_directory/qmqpd.8.html:f:root:-:644
+$html_directory/regexp_table.5.html:f:root:-:644
+$html_directory/relocated.5.html:f:root:-:644
+$html_directory/sendmail.1.html:h:$html_directory/mailq.1.html:-:644
+$html_directory/showq.8.html:f:root:-:644
+$html_directory/smtp-sink.1.html:f:root:-:644
+$html_directory/smtp-source.1.html:f:root:-:644
+$html_directory/smtp.8.html:h:$html_directory/lmtp.8.html:-:644
+$html_directory/smtpd.8.html:f:root:-:644
+$html_directory/spawn.8.html:f:root:-:644
+$html_directory/tlsproxy.8.html:f:root:-:644
+$html_directory/tcp_table.5.html:f:root:-:644
+$html_directory/trace.8.html:h:$html_directory/bounce.8.html:-:644
+$html_directory/transport.5.html:f:root:-:644
+$html_directory/trivial-rewrite.8.html:f:root:-:644
+$html_directory/verify.8.html:f:root:-:644
+$html_directory/virtual.5.html:f:root:-:644
+$html_directory/virtual.8.html:f:root:-:644
--- /dev/null
+#!/bin/sh
+
+#++
+# NAME
+# postfix-script 1
+# SUMMARY
+# execute Postfix administrative commands
+# SYNOPSIS
+# \fBpostfix-script\fR \fIcommand\fR
+# DESCRIPTION
+# The \fBpostfix-script\fR script executes Postfix administrative
+# commands in an environment that is set up by the \fBpostfix\fR(1)
+# command.
+# SEE ALSO
+# master(8) Postfix master program
+# postfix(1) Postfix administrative interface
+# LICENSE
+# .ad
+# .fi
+# The Secure Mailer license must be distributed with this software.
+# AUTHOR(S)
+# Wietse Venema
+# IBM T.J. Watson Research
+# P.O. Box 704
+# Yorktown Heights, NY 10598, USA
+#--
+
+# Avoid POSIX death due to SIGHUP when some parent process exits.
+
+trap '' 1
+
+case $daemon_directory in
+"") echo This script must be run by the postfix command. 1>&2
+ echo Do not run directly. 1>&2
+ exit 1
+esac
+
+LOGGER="$command_directory/postlog -t $MAIL_LOGTAG/postfix-script"
+INFO="$LOGGER -p info"
+WARN="$LOGGER -p warn"
+ERROR="$LOGGER -p error"
+FATAL="$LOGGER -p fatal"
+PANIC="$LOGGER -p panic"
+
+if [ "X${1#quiet-}" != "X${1}" ]; then
+ INFO=:
+ x=${1#quiet-}
+ shift
+ set -- $x "$@"
+fi
+
+umask 022
+SHELL=/bin/sh
+
+#
+# Can't do much without these in place.
+#
+cd $command_directory || {
+ $FATAL no Postfix command directory $command_directory!
+ exit 1
+}
+cd $daemon_directory || {
+ $FATAL no Postfix daemon directory $daemon_directory!
+ exit 1
+}
+test -f master || {
+ $FATAL no Postfix master program $daemon_directory/master!
+ exit 1
+}
+cd $config_directory || {
+ $FATAL no Postfix configuration directory $config_directory!
+ exit 1
+}
+cd $queue_directory || {
+ $FATAL no Postfix queue directory $queue_directory!
+ exit 1
+}
+def_config_directory=`$command_directory/postconf -dh config_directory` || {
+ $FATAL cannot execute $command_directory/postconf!
+ exit 1
+}
+
+# If this is a secondary instance, don't touch shared files.
+
+instances=`test ! -f $def_config_directory/main.cf ||
+ $command_directory/postconf -c $def_config_directory \
+ -h multi_instance_directories | sed 's/,/ /'` || {
+ $FATAL cannot execute $command_directory/postconf!
+ exit 1
+}
+
+check_shared_files=1
+for name in $instances
+do
+ case "$name" in
+ "$def_config_directory") ;;
+ "$config_directory") check_shared_files=; break;;
+ esac
+done
+
+#
+# Parse JCL
+#
+case $1 in
+
+start_msg)
+
+ echo "Start postfix"
+ ;;
+
+stop_msg)
+
+ echo "Stop postfix"
+ ;;
+
+quick-start)
+
+ $daemon_directory/master -t 2>/dev/null || {
+ $FATAL the Postfix mail system is already running
+ exit 1
+ }
+ $daemon_directory/postfix-script quick-check || {
+ $FATAL Postfix integrity check failed!
+ exit 1
+ }
+ $INFO starting the Postfix mail system
+ $daemon_directory/master &
+ ;;
+
+start)
+
+ $daemon_directory/master -t 2>/dev/null || {
+ $FATAL the Postfix mail system is already running
+ exit 1
+ }
+ if [ -f $queue_directory/quick-start ]
+ then
+ rm -f $queue_directory/quick-start
+ else
+ $daemon_directory/postfix-script check-fatal || {
+ $FATAL Postfix integrity check failed!
+ exit 1
+ }
+ # Foreground this so it can be stopped. All inodes are cached.
+ $daemon_directory/postfix-script check-warn
+ fi
+ $INFO starting the Postfix mail system
+ # NOTE: wait in foreground process to get the initialization status.
+ $daemon_directory/master -w || {
+ $FATAL "mail system startup failed"
+ exit 1
+ }
+ ;;
+
+drain)
+
+ $daemon_directory/master -t 2>/dev/null && {
+ $FATAL the Postfix mail system is not running
+ exit 1
+ }
+ $INFO stopping the Postfix mail system
+ kill -9 `sed 1q pid/master.pid`
+ ;;
+
+quick-stop)
+
+ $daemon_directory/postfix-script stop
+ touch $queue_directory/quick-start
+ ;;
+
+stop)
+
+ $daemon_directory/master -t 2>/dev/null && {
+ $FATAL the Postfix mail system is not running
+ exit 0
+ }
+ $INFO stopping the Postfix mail system
+ kill `sed 1q pid/master.pid`
+ for i in 5 4 3 2 1
+ do
+ $daemon_directory/master -t && exit 0
+ $INFO waiting for the Postfix mail system to terminate
+ sleep 1
+ done
+ $WARN stopping the Postfix mail system with force
+ pid=`awk '{ print $1; exit 0 } END { exit 1 }' pid/master.pid` &&
+ kill -9 -$pid
+ ;;
+
+abort)
+
+ $daemon_directory/master -t 2>/dev/null && {
+ $FATAL the Postfix mail system is not running
+ exit 0
+ }
+ $INFO aborting the Postfix mail system
+ kill `sed 1q pid/master.pid`
+ ;;
+
+reload)
+
+ $daemon_directory/master -t 2>/dev/null && {
+ $FATAL the Postfix mail system is not running
+ exit 1
+ }
+ $INFO refreshing the Postfix mail system
+ $command_directory/postsuper active || exit 1
+ kill -HUP `sed 1q pid/master.pid`
+ $command_directory/postsuper &
+ ;;
+
+flush)
+
+ cd $queue_directory || {
+ $FATAL no Postfix queue directory $queue_directory!
+ exit 1
+ }
+ $command_directory/postqueue -f
+ ;;
+
+check)
+
+ $daemon_directory/postfix-script check-fatal || exit 1
+ $daemon_directory/postfix-script check-warn
+ exit 0
+ ;;
+
+status)
+
+ $daemon_directory/master -t 2>/dev/null && {
+ $INFO the Postfix mail system is not running
+ exit 1
+ }
+ $INFO the Postfix mail system is running: PID: `sed 1q pid/master.pid`
+ exit 0
+ ;;
+
+quick-check)
+ # This command is NOT part of the public interface.
+
+ $SHELL $daemon_directory/post-install create-missing || {
+ $WARN unable to create missing queue directories
+ exit 1
+ }
+
+ # Look for incomplete installations.
+
+ test -f $config_directory/master.cf || {
+ $FATAL no $config_directory/master.cf file found
+ exit 1
+ }
+ exit 0
+ ;;
+
+check-fatal)
+ # This command is NOT part of the public interface.
+
+ $daemon_directory/postfix-script quick-check
+
+ # See if all queue files are in the right place. This is slow.
+ # We must scan all queues for mis-named queue files before the
+ # mail system can run.
+
+ $command_directory/postsuper || exit 1
+ exit 0
+ ;;
+
+check-warn)
+ # This command is NOT part of the public interface.
+
+ todo="$config_directory $queue_directory $queue_directory/pid"
+ test -n "$check_shared_files" && todo="$daemon_directory $todo"
+
+ for dir in $todo
+ do
+ ls -lLd $dir | (grep " root " >/dev/null ||
+ $WARN not owned by root: $dir)
+ done
+
+ # Some people break Postfix's security model.
+ ls -lLd $queue_directory | egrep '^.....(w|...w)' >/dev/null && \
+ $WARN group or other writable: $queue_directory
+
+ todo="$config_directory/*"
+ test -n "$check_shared_files" && todo="$daemon_directory/* $todo"
+
+ find $todo ! -user root \
+ -exec $WARN not owned by root: {} \;
+
+ todo="$config_directory/."
+ test -n "$check_shared_files" && todo="$daemon_directory/. $todo"
+
+ find $todo \
+ \( -perm -020 -o -perm -002 \) -type f \
+ -exec $WARN group or other writable: {} \;
+
+ find $data_directory/. ! -user $mail_owner \
+ -exec $WARN not owned by $mail_owner: {} \;
+
+ ls -lLd $data_directory | egrep '^.....(w|...w)' >/dev/null && \
+ $WARN group or other writable: $data_directory
+
+ find `ls -d $queue_directory/* | \
+ egrep '/(saved|incoming|active|defer|deferred|bounce|hold|trace|corrupt|public|private|flush)$'` \
+ ! \( -type p -o -type s \) ! -user $mail_owner \
+ -exec $WARN not owned by $mail_owner: {} \;
+
+ todo="$queue_directory/public $queue_directory/maildrop"
+ test -n "$check_shared_files" &&
+ todo="$command_directory/postqueue $command_directory/postdrop $todo"
+
+ find $todo \
+ -prune ! -group $setgid_group \
+ -exec $WARN not owned by group $setgid_group: {} \;
+
+ test -n "$check_shared_files" &&
+ find $command_directory/postqueue $command_directory/postdrop \
+ -prune ! -perm -02111 \
+ -exec $WARN not set-gid or not owner+group+world executable: {} \;
+
+ for name in `ls -d $queue_directory/* | \
+ egrep '/(bin|etc|lib|usr)$'` ; \
+ do \
+ find $name ! -user root \
+ -exec $WARN not owned by root: {} \; ; \
+ done
+
+ # WARNING: this should not descend into the maildrop directory.
+ # maildrop is the least trusted Postfix directory.
+
+ find $queue_directory/maildrop/. -prune ! -user $mail_owner \
+ -exec $WARN not owned by $mail_owner: $queue_directory/maildrop \;
+
+ for dir in bin etc lib sbin usr
+ do
+ test -d $dir && find $dir -type f -print | while read path
+ do
+ test -f /$path && {
+ cmp -s $path /$path ||
+ $WARN $queue_directory/$path and /$path differ
+ }
+ done
+ done
+
+ find corrupt -type f -exec $WARN damaged message: {} \;
+
+ # XXX also: look for weird stuff, weird permissions, etc.
+
+ test -n "$check_shared_files" -a -f /usr/sbin/sendmail -a \
+ -f /usr/lib/sendmail && {
+ cmp -s /usr/sbin/sendmail /usr/lib/sendmail || {
+ $WARN /usr/lib/sendmail and /usr/sbin/sendmail differ
+ $WARN Replace one by a symbolic link to the other
+ }
+ }
+ exit 0
+ ;;
+
+set-permissions|upgrade-configuration)
+ $daemon_directory/post-install create-missing "$@"
+ ;;
+
+post-install)
+ # Currently not part of the public interface.
+ shift
+ $daemon_directory/post-install "$@"
+ ;;
+
+/*)
+ # Currently not part of the public interface.
+ "$@"
+ ;;
+
+*)
+ $ERROR "unknown command: '$1'"
+ $FATAL "usage: postfix start (or stop, reload, abort, flush, check, status, set-permissions, upgrade-configuration)"
+ exit 1
+ ;;
+
+esac
--- /dev/null
+-----BEGIN PRIVATE KEY-----
+MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMqHz1VnbO55N3KT
+zscMcIBfl9fauAqk3efi5xcNaVpFLiwIlEdZW5gHo3CvJDZtrgKbw+lPLdVkM1Al
+47pDi7UV4dnG+eS+QHuG34xvVQAQcYcNG9LsIUvYeEYeONGSzizRDzm/KcrNZIAS
+xEnUS+Ayk7xvZaxgM2NIjEcim4HZAgMBAAECgYAZXlORHgheAp74Yh1Hf35kBhVN
++16MLsSA9EH/+DUXEo1LBLQWD9JSQ7qsNbPygWCHgR1UDw/tp8RpqKVSwn0wM183
+lHEIiMkxFGiUJBYeKFF4aW+JaxlQwZhqwoFZRHpzNPDh+PBFtEINGk89y40JDpRP
+QmXkiLo+F4yvYVbQ0QJBAPU5ZntOYkc1tqpGtL7XaO8MiNtuPqsuCsryNY4uO05r
+wisAO103ts0wJs99T9OgzvCAxzMGvxStmVQzvtsJTb0CQQDTbiKpPOVr6t7h+Lhb
+0IEhl91T49CbzR54m8ouDcZkM8XybbTCfNUlWpISNkoH0KBxFwxabb33tBrLED8+
+LaBNAkBySd5Jea60IYSQt4Nlrl9pih3+ptLuVPcSvu/W5BUf53kHMYR5XY4E83wj
+F/QsXbYUwPAWB/7mVEIxzCwXSa7BAkEApum5n1Wd4NZo4ohSMtmmN/kGF6YwF++U
+8K48rKLfTle5G6wUGb4nHvgjfREy3HyNTPpfHDyqzhR3WnwXEWU/uQJBANLMG7/C
+iLBTr7t/kHSEOSBfZy5Cia0tidzWsaHKEa2lXgUtfY7aK1hlgOmfaxyXTijo+pQF
+9zLoledO9vqhc6k=
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIC+zCCAmSgAwIBAgIJAJCEZu2e+PceMA0GCSqGSIb3DQEBCwUAMIGzMQswCQYD
+VQQGEwJERTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xFDASBgNV
+BAoMC0ZyYW5rIEJyZWhtMSQwIgYDVQQLDBtNYWlsIFNlcnZlciBQb3N0Zml4IFNT
+TCBrZXkxGjAYBgNVBAMMEW5zMy51aHUtYmFuYW5lLmRlMSowKAYJKoZIhvcNAQkB
+Fhtwb3N0bWFzdGVyQGJyZWhtLW9ubGluZS5jb20wHhcNMTYwMjI1MTIxODI4WhcN
+MjYwMjIyMTIxODI4WjCBszELMAkGA1UEBhMCREUxDzANBgNVBAgMBkJlcmxpbjEP
+MA0GA1UEBwwGQmVybGluMRQwEgYDVQQKDAtGcmFuayBCcmVobTEkMCIGA1UECwwb
+TWFpbCBTZXJ2ZXIgUG9zdGZpeCBTU0wga2V5MRowGAYDVQQDDBFuczMudWh1LWJh
+bmFuZS5kZTEqMCgGCSqGSIb3DQEJARYbcG9zdG1hc3RlckBicmVobS1vbmxpbmUu
+Y29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKh89VZ2zueTdyk87HDHCA
+X5fX2rgKpN3n4ucXDWlaRS4sCJRHWVuYB6NwryQ2ba4Cm8PpTy3VZDNQJeO6Q4u1
+FeHZxvnkvkB7ht+Mb1UAEHGHDRvS7CFL2HhGHjjRks4s0Q85vynKzWSAEsRJ1Evg
+MpO8b2WsYDNjSIxHIpuB2QIDAQABoxUwEzARBglghkgBhvhCAQEEBAMCBkAwDQYJ
+KoZIhvcNAQELBQADgYEAqElUhMP292hIdO/6fGAUNYPSjr2OLOGsu95CYs0snbpi
+6vJq3Xe2J9cZX18NmIGXYUYw28bTbwYvtA5KmIPi/mhgSYNge2XX5ZLMH59JiWzT
+T1Em5mzqrmsAxE/m3uXSswI76UkVkyuUP5sI6aKOISETg3VVLnwA4qJ82688gpc=
+-----END CERTIFICATE-----
+-----BEGIN DH PARAMETERS-----
+MEYCQQDxgXhI1UJey63H3ytt27DS95Jp3Yj9eY6FZSPYXrTtq3jrxEG66RiFwEYo
+smJ24McKvaJKu0uepm+y/sYFznBzAgEC
+-----END DH PARAMETERS-----
--- /dev/null
+mail.brehm-online.com vmail:uhu
+helga-six.brehm-online.com vmail:uhu
--- /dev/null
+#!/bin/sh
+# This script tells chronyd that the connection is down
+# so that it won't try to contact the server.
+# John Hasler <jhasler@debian.org> 1998-2003
+# Any possessor of a copy of this program may treat it as if it
+# were in the public domain. I waive all rights.
+
+/bin/pidof chronyd > /dev/null || exit 0
+# Don't mark the connection offline unless we know ppp brought it up.
+test -e /var/run/chrony-ppp-up || exit 0
+KEY=$(awk '$1 ~ /^commandkey$/ { print $2; exit}' /etc/chrony/chrony.conf)
+PASSWORD=`awk '$1 ~ /^'$KEY'$/ {print $2; exit}' /etc/chrony/chrony.keys`
+/usr/bin/chronyc << EOF
+password $PASSWORD
+offline
+EOF
+rm -f /var/run/chrony-ppp-up
+exit 0
--- /dev/null
+#!/bin/sh -e
+
+# Called when an interface disconnects
+# Written by LaMont Jones <lamont@debian.org>
+
+# start or reload Postfix as needed
+
+# If /usr isn't mounted yet, silently bail.
+if [ ! -d /usr/lib/postfix ]; then
+ exit 0
+fi
+
+RUNNING=""
+# If master is running, force a queue run to unload any mail that is
+# hanging around. Yes, sendmail is a symlink...
+if [ -f /var/spool/postfix/pid/master.pid ]; then
+ pid=$(sed 's/ //g' /var/spool/postfix/pid/master.pid)
+ exe=$(ls -l /proc/$pid/exe 2>/dev/null | sed 's/.* //;s/.*\///')
+ if [ "X$exe" = "Xmaster" ]; then
+ RUNNING="y"
+ fi
+fi
+
+if [ ! -x /sbin/resolvconf ]; then
+ f=/etc/resolv.conf
+ if ! cp $f $(postconf -h queue_directory)$f 2>/dev/null; then
+ exit 0
+ fi
+ if [ -n "$RUNNING" ]; then
+ /etc/init.d/postfix reload >/dev/null 2>&1
+ fi
+fi
+
+exit 0
--- /dev/null
+#!/bin/sh
+# This script tells chronyd that the connection is up so that it can
+# contact the server. John Hasler <jhasler@debian.org> 1998-2003
+# Any possessor of a copy of this program may treat it as if it
+# were in the public domain. I waive all rights.
+
+/bin/pidof chronyd > /dev/null || exit 0
+KEY=$(awk '$1 ~ /^commandkey$/ { print $2; exit}' /etc/chrony/chrony.conf)
+PASSWORD=`awk '$1 ~ /^'$KEY'$/ {print $2; exit}' /etc/chrony/chrony.keys`
+/usr/bin/chronyc << EOF
+password $PASSWORD
+online
+burst 5/10
+quit
+EOF
+touch /var/run/chrony-ppp-up
+exit 0
--- /dev/null
+#!/bin/sh -e
+# Called when a new interface comes up
+# Written by LaMont Jones <lamont@debian.org>
+
+# don't bother to restart postfix when lo is configured.
+if [ "$IFACE" = "lo" ]; then
+ exit 0
+fi
+
+# If /usr isn't mounted yet, silently bail.
+if [ ! -d /usr/lib/postfix ]; then
+ exit 0
+fi
+
+RUNNING=""
+# If master is running, force a queue run to unload any mail that is
+# hanging around. Yes, sendmail is a symlink...
+if [ -f /var/spool/postfix/pid/master.pid ]; then
+ pid=$(sed 's/ //g' /var/spool/postfix/pid/master.pid)
+ exe=$(ls -l /proc/$pid/exe 2>/dev/null | sed 's/.* //;s/.*\///')
+ if [ "X$exe" = "Xmaster" ]; then
+ RUNNING="y"
+ fi
+fi
+
+# start or reload Postfix as needed
+if [ ! -x /sbin/resolvconf ]; then
+ f=/etc/resolv.conf
+ if ! cp $f $(postconf -h queue_directory)$f 2>/dev/null; then
+ exit 0
+ fi
+ if [ -n "$RUNNING" ]; then
+ /etc/init.d/postfix reload >/dev/null 2>&1
+ fi
+fi
+
+# If master is running, force a queue run to unload any mail that is
+# hanging around. Yes, sendmail is a symlink...
+if [ -n "$RUNNING" ]; then
+ if [ -x /usr/sbin/sendmail ]; then
+ /usr/sbin/sendmail -q >/dev/null 2>&1
+ fi
+fi
--- /dev/null
+../init.d/chrony
\ No newline at end of file
--- /dev/null
+../init.d/fail2ban
\ No newline at end of file
--- /dev/null
+../init.d/haveged
\ No newline at end of file
--- /dev/null
+../init.d/postfix
\ No newline at end of file
+++ /dev/null
-../init.d/sendsigs
\ No newline at end of file
+++ /dev/null
-../init.d/rsyslog
\ No newline at end of file
--- /dev/null
+../init.d/sendsigs
\ No newline at end of file
+++ /dev/null
-../init.d/hwclock.sh
\ No newline at end of file
--- /dev/null
+../init.d/rsyslog
\ No newline at end of file
+++ /dev/null
-../init.d/umountnfs.sh
\ No newline at end of file
--- /dev/null
+../init.d/hwclock.sh
\ No newline at end of file
+++ /dev/null
-../init.d/networking
\ No newline at end of file
--- /dev/null
+../init.d/umountnfs.sh
\ No newline at end of file
--- /dev/null
+../init.d/networking
\ No newline at end of file
+++ /dev/null
-../init.d/umountfs
\ No newline at end of file
--- /dev/null
+../init.d/umountfs
\ No newline at end of file
+++ /dev/null
-../init.d/umountroot
\ No newline at end of file
+++ /dev/null
-../init.d/halt
\ No newline at end of file
--- /dev/null
+../init.d/umountroot
\ No newline at end of file
--- /dev/null
+../init.d/halt
\ No newline at end of file
--- /dev/null
+../init.d/chrony
\ No newline at end of file
--- /dev/null
+../init.d/fail2ban
\ No newline at end of file
--- /dev/null
+../init.d/haveged
\ No newline at end of file
--- /dev/null
+../init.d/postfix
\ No newline at end of file
+++ /dev/null
-../init.d/rsyslog
\ No newline at end of file
--- /dev/null
+../init.d/rsyslog
\ No newline at end of file
--- /dev/null
+../init.d/chrony
\ No newline at end of file
--- /dev/null
+../init.d/fail2ban
\ No newline at end of file
--- /dev/null
+../init.d/haveged
\ No newline at end of file
--- /dev/null
+../init.d/postfix
\ No newline at end of file
--- /dev/null
+../init.d/rsync
\ No newline at end of file
--- /dev/null
+../init.d/chrony
\ No newline at end of file
--- /dev/null
+../init.d/fail2ban
\ No newline at end of file
--- /dev/null
+../init.d/haveged
\ No newline at end of file
--- /dev/null
+../init.d/postfix
\ No newline at end of file
--- /dev/null
+../init.d/rsync
\ No newline at end of file
--- /dev/null
+../init.d/chrony
\ No newline at end of file
--- /dev/null
+../init.d/fail2ban
\ No newline at end of file
--- /dev/null
+../init.d/haveged
\ No newline at end of file
--- /dev/null
+../init.d/postfix
\ No newline at end of file
--- /dev/null
+../init.d/rsync
\ No newline at end of file
--- /dev/null
+../init.d/chrony
\ No newline at end of file
--- /dev/null
+../init.d/fail2ban
\ No newline at end of file
--- /dev/null
+../init.d/haveged
\ No newline at end of file
--- /dev/null
+../init.d/postfix
\ No newline at end of file
--- /dev/null
+../init.d/rsync
\ No newline at end of file
--- /dev/null
+../init.d/chrony
\ No newline at end of file
--- /dev/null
+../init.d/fail2ban
\ No newline at end of file
--- /dev/null
+../init.d/haveged
\ No newline at end of file
--- /dev/null
+../init.d/postfix
\ No newline at end of file
+++ /dev/null
-../init.d/sendsigs
\ No newline at end of file
+++ /dev/null
-../init.d/rsyslog
\ No newline at end of file
--- /dev/null
+../init.d/sendsigs
\ No newline at end of file
+++ /dev/null
-../init.d/hwclock.sh
\ No newline at end of file
--- /dev/null
+../init.d/rsyslog
\ No newline at end of file
+++ /dev/null
-../init.d/umountnfs.sh
\ No newline at end of file
--- /dev/null
+../init.d/hwclock.sh
\ No newline at end of file
+++ /dev/null
-../init.d/networking
\ No newline at end of file
--- /dev/null
+../init.d/umountnfs.sh
\ No newline at end of file
--- /dev/null
+../init.d/networking
\ No newline at end of file
+++ /dev/null
-../init.d/umountfs
\ No newline at end of file
--- /dev/null
+../init.d/umountfs
\ No newline at end of file
+++ /dev/null
-../init.d/umountroot
\ No newline at end of file
+++ /dev/null
-../init.d/reboot
\ No newline at end of file
--- /dev/null
+../init.d/umountroot
\ No newline at end of file
--- /dev/null
+../init.d/reboot
\ No newline at end of file
nameserver 208.94.37.18
nameserver 162.254.24.10
+domain uhu-banane.de
+search uhu-banane.de brehm-online.com hennig-berlin.org
--- /dev/null
+#!/bin/sh -e
+
+# we only need to copy this in if the service is already running.
+# if it's not running, it'll get picked up by the init script on start.
+/etc/init.d/postfix status >/dev/null 2>&1 || exit 0
+
+QUEUEDIR="$(/usr/sbin/postconf -h queue_directory 2>/dev/null || true)"
+if [ -n "$QUEUEDIR" ]; then
+ cp /etc/resolv.conf ${QUEUEDIR}/etc/resolv.conf
+ /etc/init.d/postfix reload >/dev/null 2>&1 || exit 0
+fi
+
+exit 0
# For more information see
# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
+# Check config syntax on startup and abort if unclean (default: off)
+$AbortOnUncleanConfig on
#################
#### MODULES ####
$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog # provides kernel logging support
#$ModLoad immark # provides --MARK-- message capability
+module(load="immark" Interval="3600")
# provides UDP syslog reception
#$ModLoad imudp
#### GLOBAL DIRECTIVES ####
###########################
+module(load="impstats"
+ interval="43200"
+ severity="7"
+ log.syslog="off"
+ /* need to turn log stream logging off! */
+ log.file="/var/log/syslog.d/stats.log")
+
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
-$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
+#$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
#
# Set the default permissions for all log files.
$DirCreateMode 0755
$Umask 0022
+module(
+ load="builtin:omfile"
+ Template="RSYSLOG_FileFormat"
+ FileCreateMode="0644"
+ DirCreateMode="0755"
+ fileOwnerNum="0"
+ fileGroupNum="0"
+ dirOwnerNum="0"
+ dirGroupNum="0"
+)
+
#
# Where to place spool and state files
#
#
# First some standard log files. Log by facility.
#
-auth,authpriv.* /var/log/auth.log
-*.*;auth,authpriv.none -/var/log/syslog
+#auth,authpriv.* /var/log/auth.log
+#*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
-daemon.* -/var/log/daemon.log
-kern.* -/var/log/kern.log
-lpr.* -/var/log/lpr.log
-mail.* -/var/log/mail.log
-user.* -/var/log/user.log
+#daemon.* -/var/log/daemon.log
+#kern.* -/var/log/kern.log
+#lpr.* -/var/log/lpr.log
+#mail.* -/var/log/mail.log
+#user.* -/var/log/user.log
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
-mail.info -/var/log/mail.info
-mail.warn -/var/log/mail.warn
-mail.err /var/log/mail.err
+#mail.info -/var/log/mail.info
+#mail.warn -/var/log/mail.warn
+#mail.err /var/log/mail.err
#
# Logging for INN news system.
#
-news.crit /var/log/news/news.crit
-news.err /var/log/news/news.err
-news.notice -/var/log/news/news.notice
+#news.crit /var/log/news/news.crit
+#news.err /var/log/news/news.err
+#news.notice -/var/log/news/news.notice
#
# Some "catch-all" log files.
#
-*.=debug;\
- auth,authpriv.none;\
- news.none;mail.none -/var/log/debug
-*.=info;*.=notice;*.=warn;\
- auth,authpriv.none;\
- cron,daemon.none;\
- mail,news.none -/var/log/messages
+#*.=debug;\
+# auth,authpriv.none;\
+# news.none;mail.none -/var/log/debug
+#*.=info;*.=notice;*.=warn;\
+# auth,authpriv.none;\
+# cron,daemon.none;\
+# mail,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
--- /dev/null
+*.=debug;auth,authpriv,news,mail.none action(
+ type="omfile"
+ File="/var/log/debug.log"
+ FileOwner="root"
+ FileGroup="adm"
+)
+
+*.info;auth,authpriv,cron,daemon,lpr,mail,news.none action(
+ type="omfile"
+ File="/var/log/messages"
+ FileOwner="root"
+ FileGroup="adm"
+)
+
+# Uncomment the following directive to re-enable the
+# deprecated "/var/log/syslog" log file (don't forget to re-enable log
+# rotation in "/etc/logrotate.d/rsyslog" if you do that!)
+#*.*;auth,authpriv.none,mail.none action(
+# type="omfile"
+# File="/var/log/syslog"
+# FileOwner="root"
+# FileGroup="adm"
+#)
+
+*.emerg action(
+ type="omusrmsg"
+ Users="*"
+ action.execOnlyOnceEveryInterval="10"
+)
+
+# Create an additional socket for the default chroot location
+# (used by net-misc/openssh[hpn], see https://bugs.gentoo.org/490744)
+#input(type="imuxsock" Socket="/var/empty/dev/log")
+
+
+# vim: filetype=conf
--- /dev/null
+template (
+ name="facility"
+ type="string"
+ string="/var/log/syslog.d/%syslogfacility-text%.log"
+)
+
+*.* action(
+ type="omfile"
+ DynaFile="facility"
+ DirCreateMode="0755"
+ FileCreateMode="0644"
+ FileOwner="root"
+ FileGroup="adm"
+)
+
+*.* action(
+ type="omfile"
+ File="/var/log/all.log"
+ FileOwner="root"
+ FileGroup="adm"
+ Sync="off"
+)
+
+*.warn;news,mail.none action(
+ type="omfile"
+ File="/dev/tty12"
+ FileOwner="root"
+ FileGroup="root"
+)
+
+# vim: filetype=conf
--- /dev/null
+# Create an additional socket in postfix's chroot in order not to break
+# mail logging when rsyslog is restarted. If the directory is missing,
+# rsyslog will silently skip creating the socket.
+$AddUnixListenSocket /var/spool/postfix/dev/log
systemd-resolve:*:16832:0:99999:7:::
systemd-bus-proxy:*:16832:0:99999:7:::
sshd:*:16832:0:99999:7:::
+postfix:*:16856:0:99999:7:::
-root:*:16832:0:99999:7:::
+root:$6$n/6QkbLH$knQ8PlsTI7kSwsgZrH1oJ72y.IYQdIXJ00jdW952wrIkxSaAD63TiA4Rbk2l1nuHFlvkI3wNO618ExXPvZBSY.:16855:0:99999:7:::
daemon:*:16832:0:99999:7:::
bin:*:16832:0:99999:7:::
sys:*:16832:0:99999:7:::
systemd-resolve:*:16832:0:99999:7:::
systemd-bus-proxy:*:16832:0:99999:7:::
sshd:*:16832:0:99999:7:::
+postfix:*:16856:0:99999:7:::
--- /dev/null
+ssl-cert-snakeoil.pem
\ No newline at end of file
--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIICrDCCAZSgAwIBAgIJAKQSYLM5sJABMA0GCSqGSIb3DQEBCwUAMA4xDDAKBgNV
+BAMMA25zMjAeFw0xNjAyMjUxMjA3NDVaFw0yNjAyMjIxMjA3NDVaMA4xDDAKBgNV
+BAMMA25zMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKQjO9O6y1Ps
+KKCtigVV45YMs7Wx++hrCCljbUVONhG1Cf8owJnS1RV1NhhmvHLwjrJ3KORhqmNX
+UoIWxfh6jR2AzPZhsn/hnKOLg6gTY19ZwLic/eg8WM0A1t0111Cdk1Ju4pZuOzLP
+JglTIetjoJYPjs2FyX5rWDRUBN8THzbErTBsF5f3Hqm4nzYY+caGs03fr/tLMcVr
+SD3gd0uoJhFjEqKhKlg+5aku71ech/AJGWPIr5LwtZUaAVZ7JNYqpg6na0sGcV5d
+qJ9cThnTf/PF5Lfz4On4qzhD8KXHvTkBaWd7G0U+EnH5JcJHxv5U+Allq6PBo6Mw
+BoHzZSb3BEkCAwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEA
+UWEonxxNuwBMypJBV+fdLrgxpvNR0Kx+pR5GIQ56WOG2RwQrDazNcWq6H5tZTa+7
+63ENc4g/4v47NGpNJk7EIi69ImucFfWqpR+PuPDDhcl8Af/UNoVkTsXvImopCAyZ
+z+gttqeMuN+o5aVdegLqQm49FV5+I6i4hg5ksgpd0kcj4tOh0zvQR8RNKo8EqVOY
+hU6ou80EvbML1bruzMkK3BuQdNPdusyK8AovRSUseMgrG1BfkwdPBr2qeaxqPwFE
+6XqJ97ZQ01/gcEfilAg68/bzmjhbphnqem0zrq75QHdFbQme74pkoHa7eqaOGJx9
+2lj7outEZ4Qh65NSxJREGQ==
+-----END CERTIFICATE-----
--- /dev/null
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCkIzvTustT7Cig
+rYoFVeOWDLO1sfvoawgpY21FTjYRtQn/KMCZ0tUVdTYYZrxy8I6ydyjkYapjV1KC
+FsX4eo0dgMz2YbJ/4Zyji4OoE2NfWcC4nP3oPFjNANbdNddQnZNSbuKWbjsyzyYJ
+UyHrY6CWD47Nhcl+a1g0VATfEx82xK0wbBeX9x6puJ82GPnGhrNN36/7SzHFa0g9
+4HdLqCYRYxKioSpYPuWpLu9XnIfwCRljyK+S8LWVGgFWeyTWKqYOp2tLBnFeXaif
+XE4Z03/zxeS38+Dp+Ks4Q/Clx705AWlnextFPhJx+SXCR8b+VPgJZaujwaOjMAaB
+82Um9wRJAgMBAAECggEAaSoB/QijmeOnrDtEQWLkbJE622FsK1/YXNxNeKhB0FqU
+Sx3LOUNyL0toG35Ho8UpSIM8egdxajDatmrs8OVkYNDTgdDa00C0YbzT3+58Lu2M
+ozxDGnb/1mmBQT5r9EThzWEqYIPD/ivnDPZstyqgC0Vwk5HypcMVQoHKlTrlNusJ
+9iJHY0+ocLB/HJKGd9tsMI0w1wo9kbC3V0NBjB40fwnSt9S3QtKCOuuOKgZMR5gr
+zt4J28nOb6hQGSWwDcogpMDc6HfW5pWm9r1Kons2ns86ioNZYbGsAvg1lCHpOujv
+N1gTXk97xGOJUHy2KYVHKjJ0hsoHBO/P2fNCt8RfAQKBgQDODk781N7zKXYzSmVa
+2kaMzhY31t2Mf56py8L7TgjPzARenI0yPqn0P4ULGO0nalGLwJFS9EtqpZJ5dj9C
+CAEOPSviYUKIQ76z+rY3UL7Kx6vFmB1EVwpOS2C1GhZPmY1QfDCSisMRLe1GZXSO
+jhGeR9oMRkuLoCw7tAecKi628QKBgQDL6+mjoqEXRSPnGpl/COr6toChOGs6Q5QP
+S62RjWuiIW8hEjz+QqmnNRMsv89lHrFAwIF035bzsf8/McjYpsO6FqiahkNDFqq5
+mbWzSfQh6aYngLckIjJnYiNH9NoVtz3loc5T9yAKt2mE/DFAePj6oGG4vn4qv0Np
+logsXpES2QKBgBfWs/CwN/Lt0wzwCHXQVuUnWo6vPwZoJVUDi9VDG+XedorzlapA
+ca0eRCgahCVROYnvh2CPfsIh0aZXtc3P2z9oeFFCa04UeFWeJcKUht4y535+sLQd
+VcXlFpUdJYOkAiNTmtL5VsQACjlgt3Feok8rhOByqX7H0xY9J7w7bRghAoGAdfJD
+tsPPzPfOplL6SUHNN6nriFRroM2Ji7dH8xILGUGhV02HPcEtA2ttZcqjmGdCOqOd
+vQ2978IaUmDnPHhoaO/GIWpa6SjpImTHdaXmsN7Fnb+TLjEhWi6nHW1/3mOYR4Np
+JaOgQtKHE8YSbqoJyFyPaR21N+Bci2vn41HnMzECgYAMCJJmYErOjIE1rIaubbfD
++r8Lh5xuhkRIUDyzF6IoKFUsMrGbixR/YwKpiQw29bf1GoR4gRETeSPTkVAq4WES
+fqTKQ6wCIXEhxyeETBwxQGQwX9kj47OFlEyat8PUz1E76SoCL/onpSiqj9qGIfIK
+ulJYNIGWoxloCvQizK8PUg==
+-----END PRIVATE KEY-----
systemd-resolve:231072:65536
systemd-bus-proxy:296608:65536
sshd:362144:65536
+postfix:427680:65536
systemd-network:165536:65536
systemd-resolve:231072:65536
systemd-bus-proxy:296608:65536
+sshd:362144:65536
systemd-resolve:231072:65536
systemd-bus-proxy:296608:65536
sshd:362144:65536
+postfix:427680:65536
systemd-network:165536:65536
systemd-resolve:231072:65536
systemd-bus-proxy:296608:65536
+sshd:362144:65536
--- /dev/null
+/lib/systemd/system/haveged.service
\ No newline at end of file
--- /dev/null
+[Postfix]
+title=Mail server (SMTP)
+description=Postfix is a high-performance mail transport agent
+ports=25/tcp
+
+[Postfix SMTPS]
+title=Mail server (SMTPS)
+description=Postfix is a high-performance mail transport agent
+ports=465/tcp
+
+[Postfix Submission]
+title=Mail server (Submission)
+description=Postfix is a high-performance mail transport agent
+ports=587/tcp
projects / config / ns2 / etc.git / commitdiff