diff options
| -rw-r--r-- | core/conf/iptables/iptables-lan.sh | 578 | ||||
| -rw-r--r-- | core/configure.html | 1 | ||||
| -rw-r--r-- | core/grsecurity.html | 7 | ||||
| -rw-r--r-- | core/reboot.html | 2 | ||||
| -rw-r--r-- | core/toolchain.html | 19 | ||||
| -rw-r--r-- | dev/php/index.html | 23 | ||||
| -rw-r--r-- | legal/index.html | 2 | ||||
| -rw-r--r-- | tools/conf/etc/nginx/nginx.conf | 13 | ||||
| -rwxr-xr-x | tools/conf/etc/rc.d/git-daemon | 42 | ||||
| -rw-r--r-- | tools/gitolite.html | 23 | ||||
| -rw-r--r-- | tools/network.html | 7 | ||||
| -rw-r--r-- | tools/nginx.html | 19 | ||||
| -rw-r--r-- | tools/nmap.html | 2 | ||||
| -rw-r--r-- | tools/scripts/pkgmk-test.conf | 2 | ||||
| -rw-r--r-- | tools/scripts/setup-nginx.sh | 22 | ||||
| -rw-r--r-- | tools/x.html | 3 |
16 files changed, 443 insertions, 322 deletions
diff --git a/core/conf/iptables/iptables-lan.sh b/core/conf/iptables/iptables-lan.sh index 58d92c3..491bc3b 100644 --- a/core/conf/iptables/iptables-lan.sh +++ b/core/conf/iptables/iptables-lan.sh @@ -1,322 +1,336 @@ #!/bin/sh -#------------------------------------------------------------------------------ # -# File: iptables_mint17.sh +# XXXXXXXXXXXXXXXXX +# XXXX Network XXXX +# XXXXXXXXXXXXXXXXX +# + +# | +# v +# +-------------+ +------------------+ +# |table: filter| <---+ | table: nat | +# |chain: INPUT | | | chain: PREROUTING| +# +-----+-------+ | +--------+---------+ +# | | | +# v | v +# [local process] | **************** +--------------+ +# | +---------+ Routing decision +------> |table: filter | +# v **************** |chain: FORWARD| +# **************** +------+-------+ +# Routing decision | +# **************** | +# | | +# v **************** | +# +-------------+ +------> Routing decision <---------------+ +# |table: nat | | **************** +# |chain: OUTPUT| | + +# +-----+-------+ | | +# | | v +# v | +-------------------+ +# +--------------+ | | table: nat | +# |table: filter | +----+ | chain: POSTROUTING| +# |chain: OUTPUT | +--------+----------+ +# +--------------+ | +# v +# XXXXXXXXXXXXXXXXX +# XXXX Network XXXX +# XXXXXXXXXXXXXXXXX # -# http://www.hardenedlinux.org +# iptables [-t table] {-A|-C|-D} chain rule-specification # -# Reference: Ruslan Abuzant <ruslan@abuzant.com>, http://www.hackersgarage.com/ -# Changed by: Silvino Silva <silvino@bk.ru> +# iptables [-t table] {-A|-C|-D} chain rule-specification # -# License: GNU GPL (version 2, or any later version). +# iptables [-t table] -I chain [rulenum] rule-specification # -# Configuration. -#------------------------------------------------------------------------------ - -# For debugging use iptables -v. -IPTABLES="/usr/sbin/iptables" -IP6TABLES="/usr/sbin/ip6tables" -MODPROBE="/sbin/modprobe" -RMMOD="/sbin/rmmod" -ARP="/usr/sbin/arp" - -# NIC interfaces -NIC_NAME="enp8s0 wlp7s0" - -# Logging options. -#------------------------------------------------------------------------------ -LOG="LOG --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options" - - -# Defaults for rate limiting -#------------------------------------------------------------------------------ -RLIMIT="-m limit --limit 3/s --limit-burst 8" - - -# Unprivileged ports. -#------------------------------------------------------------------------------ -PHIGH="1024:65535" -PSSH="1000:1023" - - -# Load required kernel modules -#------------------------------------------------------------------------------ -$MODPROBE ip_conntrack_ftp -$MODPROBE ip_conntrack_irc - - -# Mitigate ARP spoofing/poisoning and similar attacks. -#------------------------------------------------------------------------------ -# Hardcode static ARP cache entries here -# $ARP -s IP-ADDRESS MAC-ADDRESS - - -# Default policies. -#------------------------------------------------------------------------------ - -# Drop everything by default. -$IPTABLES -P INPUT DROP -$IPTABLES -P FORWARD DROP -$IPTABLES -P OUTPUT DROP - -# Set the nat/mangle/raw tables' chains to DROP - -$IPTABLES -t mangle -P PREROUTING ACCEPT -$IPTABLES -t mangle -P INPUT ACCEPT -$IPTABLES -t mangle -P FORWARD ACCEPT -$IPTABLES -t mangle -P OUTPUT ACCEPT -$IPTABLES -t mangle -P POSTROUTING ACCEPT - -# Cleanup. -#------------------------------------------------------------------------------ - -# Delete all -$IPTABLES -F -$IPTABLES -t mangle -F - -# Delete all -$IPTABLES -X -$IPTABLES -t mangle -X - -# Zero all packets and counters. -$IPTABLES -Z -$IPTABLES -t mangle -Z - -# Completely disable IPv6. -#------------------------------------------------------------------------------ - -# Block all IPv6 traffic -# If the ip6tables command is available, try to block all IPv6 traffic. -#if test -x $IP6TABLES; then -# Set the default policies -# drop everything -#$IP6TABLES -P INPUT DROP -#$IP6TABLES -P FORWARD DROP -#$IP6TABLES -P OUTPUT DROP +# iptables [-t table] -R chain rulenum rule-specification +# +# iptables [-t table] -D chain rulenum # -## The mangle table can pass everything -#$IP6TABLES -t mangle -P PREROUTING ACCEPT -#$IP6TABLES -t mangle -P INPUT ACCEPT -#$IP6TABLES -t mangle -P FORWARD ACCEPT -#$IP6TABLES -t mangle -P OUTPUT ACCEPT -#$IP6TABLES -t mangle -P POSTROUTING ACCEPT - -# Delete all rules. -#$IP6TABLES -F 2>/dev/null -#$IP6TABLES -t mangle -F 2>/dev/null +# iptables [-t table] -S [chain [rulenum]] # -## Delete all chains. -#$IP6TABLES -X 2>/dev/null -#$IP6TABLES -t mangle -X 2>/dev/null +# iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...] # -## Zero all packets and counters. -#$IP6TABLES -Z 2>/dev/null -#$IP6TABLES -t mangle -Z 2>/dev/null -#fi - -# Custom user-defined chains. -#------------------------------------------------------------------------------ - -# LOG packets, then ACCEPT. -$IPTABLES -N ACCEPTLOG -$IPTABLES -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "iptables: ACCEPT " -$IPTABLES -A ACCEPTLOG -j ACCEPT - -# LOG packets, then DROP. -$IPTABLES -N DROPLOG -$IPTABLES -A DROPLOG -j $LOG $RLIMIT --log-prefix "iptables: DROP " -$IPTABLES -A DROPLOG -j DROP - -# LOG packets, then REJECT. -# TCP packets are rejected with a TCP reset. -$IPTABLES -N REJECTLOG -$IPTABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "iptables: REJECT " -$IPTABLES -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset -$IPTABLES -A REJECTLOG -j REJECT - -# Allow loopback interface to do anything. -$IPTABLES -A INPUT -i lo -j ACCEPT -$IPTABLES -A OUTPUT -o lo -j ACCEPT - - -# Only allows RELATED ICMP types -# (destination-unreachable, time-exceeded, and parameter-problem). -# TODO: Rate-limit this traffic? -# TODO: Allow fragmentation-needed? -# TODO: Test. -$IPTABLES -N RELATED_ICMP -$IPTABLES -A RELATED_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT -$IPTABLES -A RELATED_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT -$IPTABLES -A RELATED_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT -$IPTABLES -A RELATED_ICMP -j DROPLOG - -# Make It Even Harder To Multi-PING -$IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j ACCEPT -$IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix PING-DROP: -$IPTABLES -A INPUT -p icmp -j DROP -$IPTABLES -A OUTPUT -p icmp -j ACCEPT +# iptables [-t table] -N chain +# +# iptables [-t table] -X [chain] +# +# iptables [-t table] -P chain target +# +# iptables [-t table] -E old-chain-name new-chain-name +# +# rule-specification = [matches...] [target] +# +# match = -m matchname [per-match-options] +# +# +# Targets +# +# can be a user defined chain +# +# ACCEPT - accepts the packet +# DROP - drop the packet on the floor +# QUEUE - packet will be stent to queue +# RETURN - stop traversing this chain and +# resume ate the next rule in the +# previeus (calling) chain. +# +# if packet reach the end of the chain or +# a target RETURN, default policy for that +# chain is applayed. +# +# Target Extensions +# +# AUDIT +# CHECKSUM +# CLASSIFY +# DNAT +# DSCP +# LOG +# Torn on kernel logging, will print some +# some information on all matching packets. +# Log data can be read with dmesg or syslogd. +# This is a non-terminating target and a rule +# should be created with matching criteria. +# +# --log-level level +# Level of logging (numeric or see sys- +# log.conf(5) +# +# --log-prefix prefix +# Prefix log messages with specified prefix +# up to 29 chars log +# +# --log-uid +# Log the userid of the process with gener- +# ated the packet +# NFLOG +# This target pass the packet to loaded logging +# backend to log the packet. One or more userspace +# processes may subscribe to the group to receive +# the packets. +# +# ULOG +# This target provides userspace logging of maching +# packets. One or more userspace processes may then +# then subscribe to various multicast groups and +# then receive the packets. +# +# +# Commands +# +# -A, --append chain rule-specification +# -C, --check chain rule-specification +# -D, --delete chain rule-specification +# -D, --delete chain rulenum +# -I, --insert chain [rulenum] rule-specification +# -R, --replace chain rulenum rule-specification +# -L, --list [chain] +# -P, --policy chain target +# +# Parameters +# +# -p, --protocol protocol +# tcp, udp, udplite, icmp, esp, ah, sctp, all +# -s, --source address[/mask][,...] +# -d, --destination address[/mask][,...] +# -j, --jump target +# -g, --goto chain +# -i, --in-interface name +# -o, --out-interface name +# -f, --fragment +# -m, --match options module-name +# iptables can use extended packet matching +# modules. +# -c, --set-counters packets bytes + +IPT="/usr/sbin/iptables" +SPAMLIST="blockedip" +SPAMDROPMSG="BLOCKED IP DROP" +PUB_IF="wlp7s0" +DHCP_SERV="192.168.1.1" +PUB_IP="192.168.1.33" +PRIV_IF="br0" + +modprobe ip_conntrack +modprobe ip_conntrack_ftp + +echo "Stopping ipv4 firewall and deny everyone..." + +iptables -F +iptables -X +iptables -t nat -F +iptables -t nat -X +iptables -t mangle -F +iptables -t mangle -X +iptables -t raw -F +iptables -t raw -X +iptables -t security -F +iptables -t security -X + + +echo "Starting ipv4 firewall filter table..." + +# Set Default Rules +iptables -P INPUT DROP +iptables -P FORWARD DROP +iptables -P OUTPUT DROP + +# Unlimited on local +$IPT -A INPUT -i lo -j ACCEPT +$IPT -A OUTPUT -o lo -j ACCEPT + +# Block sync +$IPT -A INPUT -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: " +$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP + +# Block Fragments +$IPT -A INPUT -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: " +$IPT -A INPUT -f -j DROP + +# Block bad stuff +$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP +$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP + +$IPT -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: " +$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # NULL packets + +$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: " +$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + +$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: " +$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS + +$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: " +$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans + +$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP + +##### Add your AP rules below ###### + +echo 1 > /proc/sys/net/ipv4/ip_forward + +$IPT -A INPUT -i ${PRIV_IF} -j ACCEPT +$IPT -A OUTPUT -o ${PRIV_IF} -j ACCEPT + +$IPT -t nat -A POSTROUTING -o ${PUB_IF} -j SNAT --to ${PUB_IP} +$IPT -A FORWARD -i ${PRIV_IF} -o ${PUB_IF} -j ACCEPT +$IPT -A FORWARD -i ${PUB_IF} -o ${PRIV_IF} -j ACCEPT +# +##### Server rules below ###### -# Only allow the minimally required/recommended parts of ICMP. Block the rest. -#------------------------------------------------------------------------------ +#echo "Allow ICMP" +$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 0 -s 192.168.0.0/16 -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type 0 -d 192.168.0.0/16 -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 8 -s 192.168.0.0/16 -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type 8 -d 192.168.0.0/16 -j ACCEPT -# TODO: This section needs a lot of testing! +#echo "Allow DNS Server" +#$IPT -A INPUT -i ${PUB_IF} -p udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT +#$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -d 192.168.0.0/16 -j ACCEPT -# First, drop all fragmented ICMP packets (almost always malicious). -$IPTABLES -A INPUT -p icmp --fragment -j DROPLOG -$IPTABLES -A OUTPUT -p icmp --fragment -j DROPLOG -$IPTABLES -A FORWARD -p icmp --fragment -j DROPLOG +echo "Allow HTTP and HTTPS server" +#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 443 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 80 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT +#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 80 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -# Allow all ESTABLISHED ICMP traffic. -$IPTABLES -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT -$IPTABLES -A OUTPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT +#echo "Allow ssh server" +#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT +#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT +#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 22 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT -# Allow some parts of the RELATED ICMP traffic, block the rest. -$IPTABLES -A INPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT -$IPTABLES -A OUTPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT +##### Add your rules below ###### -# Allow incoming ICMP echo requests (ping), but only rate-limited. -$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT +echo "Allow DNS Client" -# Allow outgoing ICMP echo requests (ping), but only rate-limited. -$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT +$IPT -A INPUT -i ${PUB_IF} -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -# Drop any other ICMP traffic. -$IPTABLES -A INPUT -p icmp -j DROPLOG -$IPTABLES -A OUTPUT -p icmp -j DROPLOG -$IPTABLES -A FORWARD -p icmp -j DROPLOG +$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT -# Selectively allow certain special types of traffic. -#------------------------------------------------------------------------------ +echo "Allow Whois Client" -# Allow incoming connections related to existing allowed connections. -$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 43 -m state --state ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 43 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow outgoing connections EXCEPT invalid -$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +echo "Allow HTTP Client" -# Miscellaneous. -#------------------------------------------------------------------------------ +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT -# We don't care about Milkosoft, Drop SMB/CIFS/etc.. -# ^ greedyevilsoft -$IPTABLES -A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP -$IPTABLES -A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP +echo "Allow Rsync Client" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT -# Explicitly drop invalid incoming traffic -$IPTABLES -A INPUT -m state --state INVALID -j DROP +echo "Allow POP3S Client" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT -# Drop invalid outgoing traffic, too. -$IPTABLES -A OUTPUT -m state --state INVALID -j DROP +echo "Allow SMTPS Client" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 465 -m state --state ESTABLISHED -j ACCEPT -# If we would use NAT, INVALID packets would pass - BLOCK them anyways -$IPTABLES -A FORWARD -m state --state INVALID -j DROP +echo "Allow NTP Client" +$IPT -A OUTPUT -o ${PUB_IF} -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT -# PORT Scanners (stealth also) -$IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP -$IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT -# TODO: Some more anti-spoofing rules? For example: -$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP -$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP -$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP -$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROPLOG -$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROPLOG -$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROPLOG -$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROPLOG -$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROPLOG -$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROPLOG -$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROPLOG +echo "Allow IRC Client" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 6667 -m state --state NEW -j ACCEPT -$IPTABLES -N SYN_FLOOD -$IPTABLES -A INPUT -p tcp --syn -j SYN_FLOOD -$IPTABLES -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN +echo "Allow Active FTP Client" +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 20 -m state --state ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPTABLES -A SYN_FLOOD -j DROP +echo "Allow Git" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 9418 -m state --state NEW -j ACCEPT -#$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 30/min --limit-burst 7 -j DROPLOG --log-prefix "iptables: drop sync: " --log-level 7 -#$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP -$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROPLOG +echo "Allow ssh client" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT -#$IPTABLES -A INPUT -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: " -#$IPTABLES -A INPUT -f -j DROP -$IPTABLES -A INPUT -f -j DROPLOG +#echo "Allow Passive Connections" +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 1024:65535 --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT -# TODO: ICQ, MSN, GTalk, Skype, Yahoo, etc... -# Selectively allow certain inbound connections, block the rest. -#------------------------------------------------------------------------------ +# echo "Allow FairCoin" +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 46392 -m state --state NEW,ESTABLISHED -j ACCEPT +# $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 46392 -m state --state ESTABLISHED -j ACCEPT +# +# echo "Allow Dashcoin" +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 29080 -m state --state NEW,ESTABLISHED -j ACCEPT +# $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 29080 -m state --state ESTABLISHED -j ACCEPT +# +# echo "Allow warzone2100" +# $IPT -A INPUT -i ${PUB_IF} -p tcp --dport 2100 -s 192.168.0.0/16 -j ACCEPT +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 2100 -j ACCEPT +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 2100 -j ACCEPT +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 9990 -j ACCEPT +# +# echo "Allow wesnoth" +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 15000 -m state --state NEW -j ACCEPT +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 14998 -m state --state NEW -j ACCEPT -# Allow incoming SSH requests. -#$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT +##### END your rules ############ +# Less log of known traffic -# Allow incoming https server -#$IPTABLES -A INPUT -p tcp -m tcp --dport 443 --sport $PHIGH -m state --state NEW,ESTABLISHED -j ACCEPT +# RIP protocol +$IPT -A INPUT -i ${PUB_IF} -p udp --sport 520 --dport 520 -s 192.168.0.0/16 -j DROP +# DHCP +$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 68 --dport 67 -d $DHCP_SERV -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p udp --sport 67 --dport 68 -s $DHCP_SERV -j ACCEPT -# Selectively allow certain outbound connections, block the rest. -#------------------------------------------------------------------------------ -# +# log everything else and drop +$IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " +$IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " +$IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " -# Allow ping -$IPTABLES -A OUTPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -# Allow to ssh clients -$IPTABLES -A OUTPUT -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - -# Allow to dns -$IPTABLES -A OUTPUT -p udp -m udp --sport $PHIGH --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow irc -$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to xmmp -$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 5222 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -# Allow to rsync server -$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to pop3s server -$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to smtps server -$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to ntp server -$IPTABLES -A OUTPUT -p udp -m udp --sport $PHIGH --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to ftp server -$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to https server -$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -#$IPTABLES -A OUTPUT -p udp -m udp --sport $PHIGH --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to http server -$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT - -# Selectively allow certain outbound server connections, block the rest. -#------------------------------------------------------------------------------ - -# Allow from https server -#$IPTABLES -A OUTPUT -p tcp -m tcp --sport 443 --dport $PHIGH -m state --state ESTABLISHED -j ACCEPT - -# Allow from dns server -#$IPTABLES -A OUTPUT -p udp -m udp --sport 53 --dport $PHIGH -m state --state ESTABLISHED -j ACCEPT - -# Explicitly log and reject everything else. -#------------------------------------------------------------------------------ -# Use REJECT instead of REJECTLOG if you don't need/want logging. -$IPTABLES -A INPUT -j DROPLOG -$IPTABLES -A OUTPUT -j DROPLOG -$IPTABLES -A FORWARD -j REJECTLOG - -# Counter hits - -#for i in $NIC_NAME -#do -# iptables -I INPUT -p tcp -m multiport --dports 22 -i $i -m state --state NEW -m recent --set -# iptables -I INPUT -p tcp -m multiport --dports 22 -i $i -m state --state NEW -m recent --update --seconds 50 --hitcount 3 -j DROP -#done - -#------------------------------------------------------------------------------ -# Testing the firewall. -#------------------------------------------------------------------------------ - -# You should check/test that the firewall really works, using -# iptables -vnL, nmap, ping, telnet, ... - -# Exit gracefully. -#------------------------------------------------------------------------------ exit 0 diff --git a/core/configure.html b/core/configure.html index 6349b65..b3ca259 100644 --- a/core/configure.html +++ b/core/configure.html @@ -253,6 +253,7 @@ pkgmk /usr/ports/work tmpfs size=30G,gid=101,uid=100,defaults 0 0 UUID=36e9e1d5-8356-451e-a301-81098b9a15ea /srv ext4 defaults,nodev,errors=remount-ro 0 0 UUID=cd15196a-69f1-4fb4-9730-a384c62add91 /home ext4 defaults,nodev,nosuid,errors=remount-ro 0 0 + #UUID=04f07488ce7b36205acc6d404dcf924643660ac5 # End of file </pre> diff --git a/core/grsecurity.html b/core/grsecurity.html index 30ee28c..48ac2b2 100644 --- a/core/grsecurity.html +++ b/core/grsecurity.html @@ -15,7 +15,7 @@ <a href="../core/reboot.html#linux">port kernel</a>, for manual configuration check <a href="linux.html">linux kernel</a>. Configuration is not enable by default, groups with special permissions and other - protections are set with <a href="sysctl.html">sysctl.html</a>;</p> + protections are set with <a href="sysctl.html">sysctl</a>;</p> <dl> @@ -56,6 +56,11 @@ <dd>Deny server sockets to this group.</dd> </dl> + <p>At run time you can change some configurations;</p> + + <pre> + # cat /proc/sys/kernel/grsecurity/what_ever_setting + </pre> <p>Kernel configuration related to grsecurity;</p> diff --git a/core/reboot.html b/core/reboot.html index c60265a..aa45a0f 100644 --- a/core/reboot.html +++ b/core/reboot.html @@ -99,7 +99,7 @@ # grub-probe --target=hints_string / </pre> - <h3>Rescue iso</h3> + <h3>1.4.3.1. Rescue iso</h3> <p>Simple way to have "resque" system is to mount boot as read only, this assures that even as root nothing can be changed without remount. diff --git a/core/toolchain.html b/core/toolchain.html index b5d4bb1..04b58e3 100644 --- a/core/toolchain.html +++ b/core/toolchain.html @@ -74,6 +74,25 @@ export LDFLAGS="" </pre> + <h4>Openssl</h4> + + <p>Replace openssl by libressl, view if + <a href="https://raw.githubusercontent.com/6c37/crux-ports-dropin/3.3/libressl/Pkgfile">libressl port</a> from 6c37-dropin is updated with + latest <a href="https://raw.githubusercontent.com/libressl-portable/portable/master/ChangeLog">libressl upstream</a>. First install libressl + to ensure it gets all the sources; + + <pre> + $ sudo prt-get depinst libressl + </pre> + + <p>After complaining about openssl files remove openssl; + + <pre> + $ sudo prt-get remove openssl + $ sudo prt-get depinst libressl + </pre> + + <h4>libcap</h4> <ul> diff --git a/dev/php/index.html b/dev/php/index.html index 2a44270..a4549f1 100644 --- a/dev/php/index.html +++ b/dev/php/index.html @@ -9,10 +9,31 @@ <h1>c9 PHP</h1> + + <h2>Hello World</h2> + + <p>PHP comes with a built in server that helps to speed up + developing by not having to configure a system web server, + first create file index.php;</p> + + <pre> + <?php + echo "Hello World"; + </pre> + + <p>Now run the server;</p> + + <pre> + $ php -S localhost:8000 + </pre> + + <p>Open your browser and browse http://localhost:8000, + you should see "Hello World".</p> + <a href="../index.html">Development Index</a> <p> This is part of the c9-doc Manual. - Copyright (C) 2016 + Copyright (C) 2017 c9 team. See the file <a href="../../fdl-1.3-standalone.html">Gnu Free Documentation License</a> for copying conditions.</p> diff --git a/legal/index.html b/legal/index.html index 0912ad8..677a540 100644 --- a/legal/index.html +++ b/legal/index.html @@ -19,7 +19,7 @@ <ul> <li><a href="">Brasil</a></li> - <li><a href="">Portugal</a></li> + <li>Portugal (lost case, completed owned by corporations interests)</li> </ul> <a href="../index.html">Documentation Index</a> diff --git a/tools/conf/etc/nginx/nginx.conf b/tools/conf/etc/nginx/nginx.conf index ddbdee6..8fca293 100644 --- a/tools/conf/etc/nginx/nginx.conf +++ b/tools/conf/etc/nginx/nginx.conf @@ -3,7 +3,7 @@ # -user nginx; +user www; worker_processes auto; error_log /var/log/nginx/error.log; @@ -20,16 +20,6 @@ http { include mime.types; default_type application/octet-stream; - ## - # SSL Settings - ## - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE - ssl_prefer_server_ciphers on; - - # ssl on; - ssl_certificate /etc/ssl/certs/nginx.crt; - ssl_certificate_key /etc/ssl/keys/nginx.key; - #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; @@ -40,6 +30,7 @@ http { sendfile on; #tcp_nopush on; + client_max_body_size 8M; keepalive_timeout 65; client_body_timeout 12; client_header_timeout 12; diff --git a/tools/conf/etc/rc.d/git-daemon b/tools/conf/etc/rc.d/git-daemon new file mode 100755 index 0000000..8aa9d81 --- /dev/null +++ b/tools/conf/etc/rc.d/git-daemon @@ -0,0 +1,42 @@ +#!/bin/sh + +SSD=/sbin/start-stop-daemon +NAME=git-daemon +PROG=$(git --exec-path)/${NAME} +USER=www +GROUP=www +PIDFILE=/var/run/git-daemon.pid +OPTS="--verbose --reuseaddr --base-path=/srv/gitolite/repositories" + +case $1 in + start) + echo "Starting ${NAME}..." + $SSD --start \ + --pidfile ${PIDFILE} \ + --exec ${PROG} -- ${OPTS} \ + --detach --pid-file=${PIDFILE} \ + --user=${USER} --group=${GROUP} + + ;; + stop) + echo "Stopping ${NAME}..." + $SSD --stop --quiet --name git-daemon \ + --pidfile ${PIDFILE} + ;; + restart) + echo "Restarting ${NAME}..." + $0 stop + $0 start + ;; + status) + $SSD --status --pidfile $PIDFILE + case $? in + 0) echo "$PROG is running with pid $(cat $PIDFILE )" ;; + 3) echo "$PROG is not running" ;; + 4) echo "Unable to determine the program status" ;; + esac + ;; + *) + echo "usage: $0 [start|stop|restart|status]" + ;; +esac diff --git a/tools/gitolite.html b/tools/gitolite.html index ab1ad3a..a275c23 100644 --- a/tools/gitolite.html +++ b/tools/gitolite.html @@ -552,24 +552,35 @@ <h3>5.2. Configure nginx</h3> - <p>Edit /etc/rc.d/fcgiwrap to run as nginx user member of gitolite - and www group;</p> + <p>Edit /etc/rc.d/fcgiwrap to run as www user member of www group;</p> <pre> - USER=nginx - GROUP=nginx + USER=www + GROUP=www </pre> + <p>Permissions for /srv/gitolite/repositories directories should be + 0750/drwxr-x---.</p> + <pre> - # usermod -G www,gitolite nginx + $ chown gitolite:www /srv/gitolite + $ chown -R gitolite:www /srv/gitolite/projects.list + $ chown -R gitolite:www /srv/gitolite/repositories </pre> - <p>Create link from gitweb to web server folder;</p> + <p>A link from gitweb don't work under grsecurity since user www can't + follow simlink to root. Make a copy, later deploy via gitolite hook.</p> + <p>Link;</p> <pre> # ln -s /usr/share/gitweb /srv/www </pre> + <p>Copy;</p> + <pre> + # cp -r /usr/share/gitweb /srv/www + </pre> + <p>Add this to default or main <a href="nginx.html#virtual-host">nginx virtual host</a>;</p> diff --git a/tools/network.html b/tools/network.html index 9cf5395..c4e99f6 100644 --- a/tools/network.html +++ b/tools/network.html @@ -23,14 +23,11 @@ to update ip every 5 minutes, check <a href="https://freedns.afraid.org/dynamic/v2/tips/">about dynamic interface</a>. To run as system cron job add as root and remove path line from example;</p> <pre> - PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin - </pre> - - <pre> # crontab -e </pre> - <p>Example from afraid uses curl and will log output to /tmp/freedns*</p> + <p>Example from afraid uses curl and will log output to /tmp/freedns*, + change to /var/log/freedns</p> <h2 id="bridge">Bridges</h2> diff --git a/tools/nginx.html b/tools/nginx.html index 6d4f355..a85cf0e 100644 --- a/tools/nginx.html +++ b/tools/nginx.html @@ -43,6 +43,25 @@ <h2 id="certs">2. Certificates</h2> + <h3 id="letsencrypt">2.1. Lets encrypt</h2> + + <p>Example of nginx location block on public pmwiki setup;</p> + + <pre> + #ACME challenge + location ^~ /.well-known { + allow all; + alias /srv/www/c9-pmwiki/pub/cert/.well-known/; + default_type "text/plain"; + try_files $uri =404; + } + </pre> + + <pre> + # certbot certonly --email user@mail.org --webroot -w /srv/www/c9-pmwiki/pub/cert/-d c9.root.sx + </pre> + + <h3 id="mancert">2.2. Self certificate</h2> <p>Certificates allow a more secure connection. Lets create self-signed certificate;</p> diff --git a/tools/nmap.html b/tools/nmap.html index c07ec0f..c3d5316 100644 --- a/tools/nmap.html +++ b/tools/nmap.html @@ -24,7 +24,7 @@ <p>Or by hostname;</p> <pre> - # nmap -v c9.root.cx + # nmap -v c9.root.sx </pre> <p>Check OS and version detection;</p> diff --git a/tools/scripts/pkgmk-test.conf b/tools/scripts/pkgmk-test.conf index 623c52c..db9978d 100644 --- a/tools/scripts/pkgmk-test.conf +++ b/tools/scripts/pkgmk-test.conf @@ -22,7 +22,7 @@ case ${PKGMK_ARCH} in ;; esac -PKGMK_SOURCE_MIRRORS=(https://c9.root.cx/ports/distfiles/) +PKGMK_SOURCE_MIRRORS=(https://c9.root.sx/ports/distfiles/) # PKGMK_SOURCE_DIR="$PWD" # PKGMK_PACKAGE_DIR="$PWD" # PKGMK_WORK_DIR="$PWD/work" diff --git a/tools/scripts/setup-nginx.sh b/tools/scripts/setup-nginx.sh index decacc1..11065d2 100644 --- a/tools/scripts/setup-nginx.sh +++ b/tools/scripts/setup-nginx.sh @@ -1,16 +1,16 @@ #!/bin/sh -. `dirname $0`/config-install.sh - -prt-get depinst nginx - -cp -R $CONF_DIR/etc/nginx/* /etc/nginx/ - -mkdir /srv/www -chown nginx:www /srv/www - -usermod -a -G www nginx -usermod -m -d /srv/www nginx +#. `dirname $0`/config-install.sh +# +#prt-get depinst nginx +# +#cp -R $CONF_DIR/etc/nginx/* /etc/nginx/ +# +#mkdir /srv/www +#chown www:www /srv/www +# +#usermod -a -g www nginx +#usermod -m -d /srv/www nginx openssl genrsa -des3 -out /etc/ssl/keys/nginx.key 2048 openssl req -new -key /etc/ssl/keys/nginx.key -out /etc/ssl/certs/nginx.csr diff --git a/tools/x.html b/tools/x.html index 027d58a..8a68c5b 100644 --- a/tools/x.html +++ b/tools/x.html @@ -36,13 +36,14 @@ xorg-font-dejavu-ttf \ xorg-font-cursor-misc \ xorg-font-misc-misc \ + console-font-terminus \ + xorg-font-terminus \ xorg-font-mutt-misc $ prt-get search xorg-font-bitstream | xargs sudo prt-get depinst $ prt-get search xorg-font-bh | xargs sudo prt-get depinst </pre> - <p>From 6c37 collection;</p> <pre> $ prt-get search otf- | xargs sudo prt-get depinst |