From 4d7fb876df126a17b4e3e80644d54460b6eac3b2 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Wed, 8 Feb 2017 19:46:23 +0000 Subject: nginx fix generated key name --- tools/nginx.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'tools/nginx.html') diff --git a/tools/nginx.html b/tools/nginx.html index 5a2e00c..6d4f355 100644 --- a/tools/nginx.html +++ b/tools/nginx.html @@ -125,7 +125,7 @@
         $ sudo chown nginx:nginx /etc/ssl/keys/nginx.key*
         $ sudo chmod 0600 /etc/ssl/keys/nginx.key*
-	$ sudo chmod 644 /etc/ssl/certs/nginx.cert
+	$ sudo chmod 644 /etc/ssl/certs/nginx.crt
         

3. Nginx Configuration

-- cgit 1.4.1-2-gfad0 From 079066bc153f3a6fe84b5da0b8fa8e584641b46d Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Wed, 1 Mar 2017 21:27:03 +0000 Subject: overall revision --- core/conf/iptables/iptables-lan.sh | 578 +++++++++++++++++++------------------ core/configure.html | 1 + core/grsecurity.html | 7 +- core/reboot.html | 2 +- core/toolchain.html | 19 ++ dev/php/index.html | 23 +- legal/index.html | 2 +- tools/conf/etc/nginx/nginx.conf | 13 +- tools/conf/etc/rc.d/git-daemon | 42 +++ tools/gitolite.html | 23 +- tools/network.html | 7 +- tools/nginx.html | 19 ++ tools/nmap.html | 2 +- tools/scripts/pkgmk-test.conf | 2 +- tools/scripts/setup-nginx.sh | 22 +- tools/x.html | 3 +- 16 files changed, 443 insertions(+), 322 deletions(-) create mode 100755 tools/conf/etc/rc.d/git-daemon (limited to 'tools/nginx.html') diff --git a/core/conf/iptables/iptables-lan.sh b/core/conf/iptables/iptables-lan.sh index 58d92c3..491bc3b 100644 --- a/core/conf/iptables/iptables-lan.sh +++ b/core/conf/iptables/iptables-lan.sh @@ -1,322 +1,336 @@ #!/bin/sh -#------------------------------------------------------------------------------ # -# File: iptables_mint17.sh +# XXXXXXXXXXXXXXXXX +# XXXX Network XXXX +# XXXXXXXXXXXXXXXXX +# + +# | +# v +# +-------------+ +------------------+ +# |table: filter| <---+ | table: nat | +# |chain: INPUT | | | chain: PREROUTING| +# +-----+-------+ | +--------+---------+ +# | | | +# v | v +# [local process] | **************** +--------------+ +# | +---------+ Routing decision +------> |table: filter | +# v **************** |chain: FORWARD| +# **************** +------+-------+ +# Routing decision | +# **************** | +# | | +# v **************** | +# +-------------+ +------> Routing decision <---------------+ +# |table: nat | | **************** +# |chain: OUTPUT| | + +# +-----+-------+ | | +# | | v +# v | +-------------------+ +# +--------------+ | | table: nat | +# |table: filter | +----+ | chain: POSTROUTING| +# |chain: OUTPUT | +--------+----------+ +# +--------------+ | +# v +# XXXXXXXXXXXXXXXXX +# XXXX Network XXXX +# XXXXXXXXXXXXXXXXX # -# http://www.hardenedlinux.org +# iptables [-t table] {-A|-C|-D} chain rule-specification # -# Reference: Ruslan Abuzant , http://www.hackersgarage.com/ -# Changed by: Silvino Silva +# iptables [-t table] {-A|-C|-D} chain rule-specification # -# License: GNU GPL (version 2, or any later version). +# iptables [-t table] -I chain [rulenum] rule-specification # -# Configuration. -#------------------------------------------------------------------------------ - -# For debugging use iptables -v. -IPTABLES="/usr/sbin/iptables" -IP6TABLES="/usr/sbin/ip6tables" -MODPROBE="/sbin/modprobe" -RMMOD="/sbin/rmmod" -ARP="/usr/sbin/arp" - -# NIC interfaces -NIC_NAME="enp8s0 wlp7s0" - -# Logging options. -#------------------------------------------------------------------------------ -LOG="LOG --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options" - - -# Defaults for rate limiting -#------------------------------------------------------------------------------ -RLIMIT="-m limit --limit 3/s --limit-burst 8" - - -# Unprivileged ports. -#------------------------------------------------------------------------------ -PHIGH="1024:65535" -PSSH="1000:1023" - - -# Load required kernel modules -#------------------------------------------------------------------------------ -$MODPROBE ip_conntrack_ftp -$MODPROBE ip_conntrack_irc - - -# Mitigate ARP spoofing/poisoning and similar attacks. -#------------------------------------------------------------------------------ -# Hardcode static ARP cache entries here -# $ARP -s IP-ADDRESS MAC-ADDRESS - - -# Default policies. -#------------------------------------------------------------------------------ - -# Drop everything by default. -$IPTABLES -P INPUT DROP -$IPTABLES -P FORWARD DROP -$IPTABLES -P OUTPUT DROP - -# Set the nat/mangle/raw tables' chains to DROP - -$IPTABLES -t mangle -P PREROUTING ACCEPT -$IPTABLES -t mangle -P INPUT ACCEPT -$IPTABLES -t mangle -P FORWARD ACCEPT -$IPTABLES -t mangle -P OUTPUT ACCEPT -$IPTABLES -t mangle -P POSTROUTING ACCEPT - -# Cleanup. -#------------------------------------------------------------------------------ - -# Delete all -$IPTABLES -F -$IPTABLES -t mangle -F - -# Delete all -$IPTABLES -X -$IPTABLES -t mangle -X - -# Zero all packets and counters. -$IPTABLES -Z -$IPTABLES -t mangle -Z - -# Completely disable IPv6. -#------------------------------------------------------------------------------ - -# Block all IPv6 traffic -# If the ip6tables command is available, try to block all IPv6 traffic. -#if test -x $IP6TABLES; then -# Set the default policies -# drop everything -#$IP6TABLES -P INPUT DROP -#$IP6TABLES -P FORWARD DROP -#$IP6TABLES -P OUTPUT DROP +# iptables [-t table] -R chain rulenum rule-specification +# +# iptables [-t table] -D chain rulenum # -## The mangle table can pass everything -#$IP6TABLES -t mangle -P PREROUTING ACCEPT -#$IP6TABLES -t mangle -P INPUT ACCEPT -#$IP6TABLES -t mangle -P FORWARD ACCEPT -#$IP6TABLES -t mangle -P OUTPUT ACCEPT -#$IP6TABLES -t mangle -P POSTROUTING ACCEPT - -# Delete all rules. -#$IP6TABLES -F 2>/dev/null -#$IP6TABLES -t mangle -F 2>/dev/null +# iptables [-t table] -S [chain [rulenum]] # -## Delete all chains. -#$IP6TABLES -X 2>/dev/null -#$IP6TABLES -t mangle -X 2>/dev/null +# iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...] # -## Zero all packets and counters. -#$IP6TABLES -Z 2>/dev/null -#$IP6TABLES -t mangle -Z 2>/dev/null -#fi - -# Custom user-defined chains. -#------------------------------------------------------------------------------ - -# LOG packets, then ACCEPT. -$IPTABLES -N ACCEPTLOG -$IPTABLES -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "iptables: ACCEPT " -$IPTABLES -A ACCEPTLOG -j ACCEPT - -# LOG packets, then DROP. -$IPTABLES -N DROPLOG -$IPTABLES -A DROPLOG -j $LOG $RLIMIT --log-prefix "iptables: DROP " -$IPTABLES -A DROPLOG -j DROP - -# LOG packets, then REJECT. -# TCP packets are rejected with a TCP reset. -$IPTABLES -N REJECTLOG -$IPTABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "iptables: REJECT " -$IPTABLES -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset -$IPTABLES -A REJECTLOG -j REJECT - -# Allow loopback interface to do anything. -$IPTABLES -A INPUT -i lo -j ACCEPT -$IPTABLES -A OUTPUT -o lo -j ACCEPT - - -# Only allows RELATED ICMP types -# (destination-unreachable, time-exceeded, and parameter-problem). -# TODO: Rate-limit this traffic? -# TODO: Allow fragmentation-needed? -# TODO: Test. -$IPTABLES -N RELATED_ICMP -$IPTABLES -A RELATED_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT -$IPTABLES -A RELATED_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT -$IPTABLES -A RELATED_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT -$IPTABLES -A RELATED_ICMP -j DROPLOG - -# Make It Even Harder To Multi-PING -$IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j ACCEPT -$IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix PING-DROP: -$IPTABLES -A INPUT -p icmp -j DROP -$IPTABLES -A OUTPUT -p icmp -j ACCEPT +# iptables [-t table] -N chain +# +# iptables [-t table] -X [chain] +# +# iptables [-t table] -P chain target +# +# iptables [-t table] -E old-chain-name new-chain-name +# +# rule-specification = [matches...] [target] +# +# match = -m matchname [per-match-options] +# +# +# Targets +# +# can be a user defined chain +# +# ACCEPT - accepts the packet +# DROP - drop the packet on the floor +# QUEUE - packet will be stent to queue +# RETURN - stop traversing this chain and +# resume ate the next rule in the +# previeus (calling) chain. +# +# if packet reach the end of the chain or +# a target RETURN, default policy for that +# chain is applayed. +# +# Target Extensions +# +# AUDIT +# CHECKSUM +# CLASSIFY +# DNAT +# DSCP +# LOG +# Torn on kernel logging, will print some +# some information on all matching packets. +# Log data can be read with dmesg or syslogd. +# This is a non-terminating target and a rule +# should be created with matching criteria. +# +# --log-level level +# Level of logging (numeric or see sys- +# log.conf(5) +# +# --log-prefix prefix +# Prefix log messages with specified prefix +# up to 29 chars log +# +# --log-uid +# Log the userid of the process with gener- +# ated the packet +# NFLOG +# This target pass the packet to loaded logging +# backend to log the packet. One or more userspace +# processes may subscribe to the group to receive +# the packets. +# +# ULOG +# This target provides userspace logging of maching +# packets. One or more userspace processes may then +# then subscribe to various multicast groups and +# then receive the packets. +# +# +# Commands +# +# -A, --append chain rule-specification +# -C, --check chain rule-specification +# -D, --delete chain rule-specification +# -D, --delete chain rulenum +# -I, --insert chain [rulenum] rule-specification +# -R, --replace chain rulenum rule-specification +# -L, --list [chain] +# -P, --policy chain target +# +# Parameters +# +# -p, --protocol protocol +# tcp, udp, udplite, icmp, esp, ah, sctp, all +# -s, --source address[/mask][,...] +# -d, --destination address[/mask][,...] +# -j, --jump target +# -g, --goto chain +# -i, --in-interface name +# -o, --out-interface name +# -f, --fragment +# -m, --match options module-name +# iptables can use extended packet matching +# modules. +# -c, --set-counters packets bytes + +IPT="/usr/sbin/iptables" +SPAMLIST="blockedip" +SPAMDROPMSG="BLOCKED IP DROP" +PUB_IF="wlp7s0" +DHCP_SERV="192.168.1.1" +PUB_IP="192.168.1.33" +PRIV_IF="br0" + +modprobe ip_conntrack +modprobe ip_conntrack_ftp + +echo "Stopping ipv4 firewall and deny everyone..." + +iptables -F +iptables -X +iptables -t nat -F +iptables -t nat -X +iptables -t mangle -F +iptables -t mangle -X +iptables -t raw -F +iptables -t raw -X +iptables -t security -F +iptables -t security -X + + +echo "Starting ipv4 firewall filter table..." + +# Set Default Rules +iptables -P INPUT DROP +iptables -P FORWARD DROP +iptables -P OUTPUT DROP + +# Unlimited on local +$IPT -A INPUT -i lo -j ACCEPT +$IPT -A OUTPUT -o lo -j ACCEPT + +# Block sync +$IPT -A INPUT -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: " +$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP + +# Block Fragments +$IPT -A INPUT -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: " +$IPT -A INPUT -f -j DROP + +# Block bad stuff +$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP +$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP + +$IPT -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: " +$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # NULL packets + +$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: " +$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + +$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: " +$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS + +$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: " +$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans + +$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP + +##### Add your AP rules below ###### + +echo 1 > /proc/sys/net/ipv4/ip_forward + +$IPT -A INPUT -i ${PRIV_IF} -j ACCEPT +$IPT -A OUTPUT -o ${PRIV_IF} -j ACCEPT + +$IPT -t nat -A POSTROUTING -o ${PUB_IF} -j SNAT --to ${PUB_IP} +$IPT -A FORWARD -i ${PRIV_IF} -o ${PUB_IF} -j ACCEPT +$IPT -A FORWARD -i ${PUB_IF} -o ${PRIV_IF} -j ACCEPT +# +##### Server rules below ###### -# Only allow the minimally required/recommended parts of ICMP. Block the rest. -#------------------------------------------------------------------------------ +#echo "Allow ICMP" +$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 0 -s 192.168.0.0/16 -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type 0 -d 192.168.0.0/16 -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 8 -s 192.168.0.0/16 -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type 8 -d 192.168.0.0/16 -j ACCEPT -# TODO: This section needs a lot of testing! +#echo "Allow DNS Server" +#$IPT -A INPUT -i ${PUB_IF} -p udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT +#$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -d 192.168.0.0/16 -j ACCEPT -# First, drop all fragmented ICMP packets (almost always malicious). -$IPTABLES -A INPUT -p icmp --fragment -j DROPLOG -$IPTABLES -A OUTPUT -p icmp --fragment -j DROPLOG -$IPTABLES -A FORWARD -p icmp --fragment -j DROPLOG +echo "Allow HTTP and HTTPS server" +#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 443 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 80 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT +#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 80 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -# Allow all ESTABLISHED ICMP traffic. -$IPTABLES -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT -$IPTABLES -A OUTPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT +#echo "Allow ssh server" +#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT +#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT +#$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 22 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT -# Allow some parts of the RELATED ICMP traffic, block the rest. -$IPTABLES -A INPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT -$IPTABLES -A OUTPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT +##### Add your rules below ###### -# Allow incoming ICMP echo requests (ping), but only rate-limited. -$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT +echo "Allow DNS Client" -# Allow outgoing ICMP echo requests (ping), but only rate-limited. -$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT +$IPT -A INPUT -i ${PUB_IF} -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -# Drop any other ICMP traffic. -$IPTABLES -A INPUT -p icmp -j DROPLOG -$IPTABLES -A OUTPUT -p icmp -j DROPLOG -$IPTABLES -A FORWARD -p icmp -j DROPLOG +$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT -# Selectively allow certain special types of traffic. -#------------------------------------------------------------------------------ +echo "Allow Whois Client" -# Allow incoming connections related to existing allowed connections. -$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 43 -m state --state ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 43 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow outgoing connections EXCEPT invalid -$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +echo "Allow HTTP Client" -# Miscellaneous. -#------------------------------------------------------------------------------ +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT -# We don't care about Milkosoft, Drop SMB/CIFS/etc.. -# ^ greedyevilsoft -$IPTABLES -A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP -$IPTABLES -A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP +echo "Allow Rsync Client" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT -# Explicitly drop invalid incoming traffic -$IPTABLES -A INPUT -m state --state INVALID -j DROP +echo "Allow POP3S Client" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT -# Drop invalid outgoing traffic, too. -$IPTABLES -A OUTPUT -m state --state INVALID -j DROP +echo "Allow SMTPS Client" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 465 -m state --state ESTABLISHED -j ACCEPT -# If we would use NAT, INVALID packets would pass - BLOCK them anyways -$IPTABLES -A FORWARD -m state --state INVALID -j DROP +echo "Allow NTP Client" +$IPT -A OUTPUT -o ${PUB_IF} -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT -# PORT Scanners (stealth also) -$IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP -$IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT -# TODO: Some more anti-spoofing rules? For example: -$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP -$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP -$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP -$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROPLOG -$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROPLOG -$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROPLOG -$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROPLOG -$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROPLOG -$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROPLOG -$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROPLOG +echo "Allow IRC Client" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 6667 -m state --state NEW -j ACCEPT -$IPTABLES -N SYN_FLOOD -$IPTABLES -A INPUT -p tcp --syn -j SYN_FLOOD -$IPTABLES -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN +echo "Allow Active FTP Client" +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 20 -m state --state ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPTABLES -A SYN_FLOOD -j DROP +echo "Allow Git" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 9418 -m state --state NEW -j ACCEPT -#$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 30/min --limit-burst 7 -j DROPLOG --log-prefix "iptables: drop sync: " --log-level 7 -#$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP -$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROPLOG +echo "Allow ssh client" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT -#$IPTABLES -A INPUT -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: " -#$IPTABLES -A INPUT -f -j DROP -$IPTABLES -A INPUT -f -j DROPLOG +#echo "Allow Passive Connections" +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 1024:65535 --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT -# TODO: ICQ, MSN, GTalk, Skype, Yahoo, etc... -# Selectively allow certain inbound connections, block the rest. -#------------------------------------------------------------------------------ +# echo "Allow FairCoin" +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 46392 -m state --state NEW,ESTABLISHED -j ACCEPT +# $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 46392 -m state --state ESTABLISHED -j ACCEPT +# +# echo "Allow Dashcoin" +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 29080 -m state --state NEW,ESTABLISHED -j ACCEPT +# $IPT -A INPUT -i ${PUB_IF} -p tcp --sport 29080 -m state --state ESTABLISHED -j ACCEPT +# +# echo "Allow warzone2100" +# $IPT -A INPUT -i ${PUB_IF} -p tcp --dport 2100 -s 192.168.0.0/16 -j ACCEPT +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 2100 -j ACCEPT +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 2100 -j ACCEPT +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 9990 -j ACCEPT +# +# echo "Allow wesnoth" +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 15000 -m state --state NEW -j ACCEPT +# $IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 14998 -m state --state NEW -j ACCEPT -# Allow incoming SSH requests. -#$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT +##### END your rules ############ +# Less log of known traffic -# Allow incoming https server -#$IPTABLES -A INPUT -p tcp -m tcp --dport 443 --sport $PHIGH -m state --state NEW,ESTABLISHED -j ACCEPT +# RIP protocol +$IPT -A INPUT -i ${PUB_IF} -p udp --sport 520 --dport 520 -s 192.168.0.0/16 -j DROP +# DHCP +$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 68 --dport 67 -d $DHCP_SERV -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p udp --sport 67 --dport 68 -s $DHCP_SERV -j ACCEPT -# Selectively allow certain outbound connections, block the rest. -#------------------------------------------------------------------------------ -# +# log everything else and drop +$IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " +$IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " +$IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " -# Allow ping -$IPTABLES -A OUTPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -# Allow to ssh clients -$IPTABLES -A OUTPUT -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - -# Allow to dns -$IPTABLES -A OUTPUT -p udp -m udp --sport $PHIGH --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow irc -$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to xmmp -$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 5222 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -# Allow to rsync server -$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to pop3s server -$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to smtps server -$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to ntp server -$IPTABLES -A OUTPUT -p udp -m udp --sport $PHIGH --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to ftp server -$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT -$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to https server -$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -#$IPTABLES -A OUTPUT -p udp -m udp --sport $PHIGH --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to http server -$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT - -# Selectively allow certain outbound server connections, block the rest. -#------------------------------------------------------------------------------ - -# Allow from https server -#$IPTABLES -A OUTPUT -p tcp -m tcp --sport 443 --dport $PHIGH -m state --state ESTABLISHED -j ACCEPT - -# Allow from dns server -#$IPTABLES -A OUTPUT -p udp -m udp --sport 53 --dport $PHIGH -m state --state ESTABLISHED -j ACCEPT - -# Explicitly log and reject everything else. -#------------------------------------------------------------------------------ -# Use REJECT instead of REJECTLOG if you don't need/want logging. -$IPTABLES -A INPUT -j DROPLOG -$IPTABLES -A OUTPUT -j DROPLOG -$IPTABLES -A FORWARD -j REJECTLOG - -# Counter hits - -#for i in $NIC_NAME -#do -# iptables -I INPUT -p tcp -m multiport --dports 22 -i $i -m state --state NEW -m recent --set -# iptables -I INPUT -p tcp -m multiport --dports 22 -i $i -m state --state NEW -m recent --update --seconds 50 --hitcount 3 -j DROP -#done - -#------------------------------------------------------------------------------ -# Testing the firewall. -#------------------------------------------------------------------------------ - -# You should check/test that the firewall really works, using -# iptables -vnL, nmap, ping, telnet, ... - -# Exit gracefully. -#------------------------------------------------------------------------------ exit 0 diff --git a/core/configure.html b/core/configure.html index 6349b65..b3ca259 100644 --- a/core/configure.html +++ b/core/configure.html @@ -253,6 +253,7 @@ pkgmk /usr/ports/work tmpfs size=30G,gid=101,uid=100,defaults 0 0 UUID=36e9e1d5-8356-451e-a301-81098b9a15ea /srv ext4 defaults,nodev,errors=remount-ro 0 0 UUID=cd15196a-69f1-4fb4-9730-a384c62add91 /home ext4 defaults,nodev,nosuid,errors=remount-ro 0 0 + #UUID=04f07488ce7b36205acc6d404dcf924643660ac5 # End of file diff --git a/core/grsecurity.html b/core/grsecurity.html index 30ee28c..48ac2b2 100644 --- a/core/grsecurity.html +++ b/core/grsecurity.html @@ -15,7 +15,7 @@ port kernel, for manual configuration check linux kernel. Configuration is not enable by default, groups with special permissions and other - protections are set with sysctl.html;

+ protections are set with sysctl;

@@ -56,6 +56,11 @@
Deny server sockets to this group.
+

At run time you can change some configurations;

+ +
+        # cat /proc/sys/kernel/grsecurity/what_ever_setting
+        

Kernel configuration related to grsecurity;

diff --git a/core/reboot.html b/core/reboot.html index c60265a..aa45a0f 100644 --- a/core/reboot.html +++ b/core/reboot.html @@ -99,7 +99,7 @@ # grub-probe --target=hints_string / -

Rescue iso

+

1.4.3.1. Rescue iso

Simple way to have "resque" system is to mount boot as read only, this assures that even as root nothing can be changed without remount. diff --git a/core/toolchain.html b/core/toolchain.html index b5d4bb1..04b58e3 100644 --- a/core/toolchain.html +++ b/core/toolchain.html @@ -74,6 +74,25 @@ export LDFLAGS="" +

Openssl

+ +

Replace openssl by libressl, view if + libressl port from 6c37-dropin is updated with + latest libressl upstream. First install libressl + to ensure it gets all the sources; + +

+        $ sudo prt-get depinst libressl
+        
+ +

After complaining about openssl files remove openssl; + +

+        $ sudo prt-get remove openssl
+        $ sudo prt-get depinst libressl
+        
+ +

libcap

    diff --git a/dev/php/index.html b/dev/php/index.html index 2a44270..a4549f1 100644 --- a/dev/php/index.html +++ b/dev/php/index.html @@ -9,10 +9,31 @@

    c9 PHP

    + +

    Hello World

    + +

    PHP comes with a built in server that helps to speed up + developing by not having to configure a system web server, + first create file index.php;

    + +
    +        <?php
    +           echo "Hello World";
    +        
    + +

    Now run the server;

    + +
    +        $ php -S localhost:8000
    +        
    + +

    Open your browser and browse http://localhost:8000, + you should see "Hello World".

    + Development Index

    This is part of the c9-doc Manual. - Copyright (C) 2016 + Copyright (C) 2017 c9 team. See the file Gnu Free Documentation License for copying conditions.

    diff --git a/legal/index.html b/legal/index.html index 0912ad8..677a540 100644 --- a/legal/index.html +++ b/legal/index.html @@ -19,7 +19,7 @@
    • Brasil
    • -
    • Portugal
    • +
    • Portugal (lost case, completed owned by corporations interests)
    Documentation Index diff --git a/tools/conf/etc/nginx/nginx.conf b/tools/conf/etc/nginx/nginx.conf index ddbdee6..8fca293 100644 --- a/tools/conf/etc/nginx/nginx.conf +++ b/tools/conf/etc/nginx/nginx.conf @@ -3,7 +3,7 @@ # -user nginx; +user www; worker_processes auto; error_log /var/log/nginx/error.log; @@ -20,16 +20,6 @@ http { include mime.types; default_type application/octet-stream; - ## - # SSL Settings - ## - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE - ssl_prefer_server_ciphers on; - - # ssl on; - ssl_certificate /etc/ssl/certs/nginx.crt; - ssl_certificate_key /etc/ssl/keys/nginx.key; - #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; @@ -40,6 +30,7 @@ http { sendfile on; #tcp_nopush on; + client_max_body_size 8M; keepalive_timeout 65; client_body_timeout 12; client_header_timeout 12; diff --git a/tools/conf/etc/rc.d/git-daemon b/tools/conf/etc/rc.d/git-daemon new file mode 100755 index 0000000..8aa9d81 --- /dev/null +++ b/tools/conf/etc/rc.d/git-daemon @@ -0,0 +1,42 @@ +#!/bin/sh + +SSD=/sbin/start-stop-daemon +NAME=git-daemon +PROG=$(git --exec-path)/${NAME} +USER=www +GROUP=www +PIDFILE=/var/run/git-daemon.pid +OPTS="--verbose --reuseaddr --base-path=/srv/gitolite/repositories" + +case $1 in + start) + echo "Starting ${NAME}..." + $SSD --start \ + --pidfile ${PIDFILE} \ + --exec ${PROG} -- ${OPTS} \ + --detach --pid-file=${PIDFILE} \ + --user=${USER} --group=${GROUP} + + ;; + stop) + echo "Stopping ${NAME}..." + $SSD --stop --quiet --name git-daemon \ + --pidfile ${PIDFILE} + ;; + restart) + echo "Restarting ${NAME}..." + $0 stop + $0 start + ;; + status) + $SSD --status --pidfile $PIDFILE + case $? in + 0) echo "$PROG is running with pid $(cat $PIDFILE )" ;; + 3) echo "$PROG is not running" ;; + 4) echo "Unable to determine the program status" ;; + esac + ;; + *) + echo "usage: $0 [start|stop|restart|status]" + ;; +esac diff --git a/tools/gitolite.html b/tools/gitolite.html index ab1ad3a..a275c23 100644 --- a/tools/gitolite.html +++ b/tools/gitolite.html @@ -552,24 +552,35 @@

    5.2. Configure nginx

    -

    Edit /etc/rc.d/fcgiwrap to run as nginx user member of gitolite - and www group;

    +

    Edit /etc/rc.d/fcgiwrap to run as www user member of www group;

    -        USER=nginx
    -        GROUP=nginx
    +        USER=www
    +        GROUP=www
             
    +

    Permissions for /srv/gitolite/repositories directories should be + 0750/drwxr-x---.

    +
    -        # usermod -G www,gitolite nginx
    +        $ chown gitolite:www /srv/gitolite
    +        $ chown -R gitolite:www /srv/gitolite/projects.list
    +        $ chown -R gitolite:www /srv/gitolite/repositories
             
    -

    Create link from gitweb to web server folder;

    +

    A link from gitweb don't work under grsecurity since user www can't + follow simlink to root. Make a copy, later deploy via gitolite hook.

    +

    Link;

             # ln -s /usr/share/gitweb /srv/www
             
    +

    Copy;

    +
    +        # cp -r /usr/share/gitweb /srv/www
    +        
    +

    Add this to default or main nginx virtual host;

    diff --git a/tools/network.html b/tools/network.html index 9cf5395..c4e99f6 100644 --- a/tools/network.html +++ b/tools/network.html @@ -22,15 +22,12 @@ generate cron job to update ip every 5 minutes, check about dynamic interface. To run as system cron job add as root and remove path line from example;

    -
    -        PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
    -        
    -
             # crontab -e
             
    -

    Example from afraid uses curl and will log output to /tmp/freedns*

    +

    Example from afraid uses curl and will log output to /tmp/freedns*, + change to /var/log/freedns

    Bridges

    diff --git a/tools/nginx.html b/tools/nginx.html index 6d4f355..a85cf0e 100644 --- a/tools/nginx.html +++ b/tools/nginx.html @@ -43,6 +43,25 @@

    2. Certificates

    +

    2.1. Lets encrypt

    + +

    Example of nginx location block on public pmwiki setup;

    + +
    +        #ACME challenge
    +        location ^~ /.well-known {
    +              allow all;
    +              alias /srv/www/c9-pmwiki/pub/cert/.well-known/;
    +              default_type "text/plain";
    +              try_files $uri =404;
    +        }
    +        
    + +
    +        # certbot certonly --email user@mail.org --webroot -w /srv/www/c9-pmwiki/pub/cert/-d c9.root.sx
    +        
    + +

    2.2. Self certificate

    Certificates allow a more secure connection. Lets create self-signed certificate;

    diff --git a/tools/nmap.html b/tools/nmap.html index c07ec0f..c3d5316 100644 --- a/tools/nmap.html +++ b/tools/nmap.html @@ -24,7 +24,7 @@

    Or by hostname;

    -        # nmap -v c9.root.cx
    +        # nmap -v c9.root.sx
             

    Check OS and version detection;

    diff --git a/tools/scripts/pkgmk-test.conf b/tools/scripts/pkgmk-test.conf index 623c52c..db9978d 100644 --- a/tools/scripts/pkgmk-test.conf +++ b/tools/scripts/pkgmk-test.conf @@ -22,7 +22,7 @@ case ${PKGMK_ARCH} in ;; esac -PKGMK_SOURCE_MIRRORS=(https://c9.root.cx/ports/distfiles/) +PKGMK_SOURCE_MIRRORS=(https://c9.root.sx/ports/distfiles/) # PKGMK_SOURCE_DIR="$PWD" # PKGMK_PACKAGE_DIR="$PWD" # PKGMK_WORK_DIR="$PWD/work" diff --git a/tools/scripts/setup-nginx.sh b/tools/scripts/setup-nginx.sh index decacc1..11065d2 100644 --- a/tools/scripts/setup-nginx.sh +++ b/tools/scripts/setup-nginx.sh @@ -1,16 +1,16 @@ #!/bin/sh -. `dirname $0`/config-install.sh - -prt-get depinst nginx - -cp -R $CONF_DIR/etc/nginx/* /etc/nginx/ - -mkdir /srv/www -chown nginx:www /srv/www - -usermod -a -G www nginx -usermod -m -d /srv/www nginx +#. `dirname $0`/config-install.sh +# +#prt-get depinst nginx +# +#cp -R $CONF_DIR/etc/nginx/* /etc/nginx/ +# +#mkdir /srv/www +#chown www:www /srv/www +# +#usermod -a -g www nginx +#usermod -m -d /srv/www nginx openssl genrsa -des3 -out /etc/ssl/keys/nginx.key 2048 openssl req -new -key /etc/ssl/keys/nginx.key -out /etc/ssl/certs/nginx.csr diff --git a/tools/x.html b/tools/x.html index 027d58a..8a68c5b 100644 --- a/tools/x.html +++ b/tools/x.html @@ -36,13 +36,14 @@ xorg-font-dejavu-ttf \ xorg-font-cursor-misc \ xorg-font-misc-misc \ + console-font-terminus \ + xorg-font-terminus \ xorg-font-mutt-misc $ prt-get search xorg-font-bitstream | xargs sudo prt-get depinst $ prt-get search xorg-font-bh | xargs sudo prt-get depinst -

    From 6c37 collection;

             $ prt-get search otf- | xargs sudo prt-get depinst
    -- 
    cgit 1.4.1-2-gfad0
    
    
    From 65167272a3ba52dc4d032a1c60a9ff030408047d Mon Sep 17 00:00:00 2001
    From: Silvino Silva 
    Date: Wed, 2 Aug 2017 01:01:58 +0100
    Subject: first hardened test
    
    ---
     core/conf/pkgmk.conf                            |    9 +-
     core/conf/prt-get.conf                          |   19 +-
     core/conf/sysctl.conf                           |    2 +-
     core/network.html                               |    6 +
     core/scripts/act-chroot.sh                      |   18 +-
     core/scripts/setup-install.sh                   |  217 +---
     core/scripts/setup-target.sh                    |  229 +++-
     dev/c/index.html                                |   90 +-
     tools/conf/etc/fonts/local.conf                 | 1542 +++++++++++++++++++++++
     tools/conf/etc/iptables/iptables-br.sh          |  318 +++++
     tools/conf/etc/iptables/vlan.v4                 |  228 ++--
     tools/conf/etc/nginx/sites-enabled/default.conf |   86 +-
     tools/conf/etc/ssh/sshd_config                  |   30 +-
     tools/nginx.html                                |    8 +-
     tools/qemu.html                                 |   80 +-
     tools/scripts/pkgmk-test.conf                   |    8 +-
     tools/scripts/pkgmk-test.sh                     |    2 +-
     17 files changed, 2499 insertions(+), 393 deletions(-)
     mode change 100644 => 100755 core/scripts/setup-install.sh
     mode change 100644 => 100755 core/scripts/setup-target.sh
     create mode 100644 tools/conf/etc/fonts/local.conf
     create mode 100644 tools/conf/etc/iptables/iptables-br.sh
    
    (limited to 'tools/nginx.html')
    
    diff --git a/core/conf/pkgmk.conf b/core/conf/pkgmk.conf
    index 4ef372e..6949fa7 100644
    --- a/core/conf/pkgmk.conf
    +++ b/core/conf/pkgmk.conf
    @@ -2,9 +2,10 @@
     # /etc/pkgmk.conf: pkgmk(8) configuration
     #
     
    -export CFLAGS="-O2 -march=native -mtune=native"
    +export CPPFLAGS="-D_FORTIFY_SOURCE=2"
    +export CFLAGS="-O2 -march=native -mtune=native -pipe -fPIC -fPIE -fstack-protector-strong --param=ssp-buffer-size=4 -fno-plt -fstack-check"
     export CXXFLAGS="${CFLAGS}"
    -
    +export LDFLAGS="-fPIE -pie -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now"
     export MAKEFLAGS="-j4"
     
     case ${PKGMK_ARCH} in
    @@ -22,7 +23,9 @@ case ${PKGMK_ARCH} in
     		;;
     esac
     
    -#PKGMK_SOURCE_MIRRORS=(http://crux.nu/distfiles/)
    +PKGMK_SOURCE_MIRRORS=(https://crux.nu/distfiles/)
    +#PKGMK_SOURCE_MIRRORS=(https://crux.ster.zone/distfiles/)
    +#PKGMK_SOURCE_MIRRORS=(https://c9.root.sx/ports/distfiles/)
     PKGMK_SOURCE_DIR="/usr/ports/distfiles"
     PKGMK_PACKAGE_DIR="/usr/ports/packages"
     PKGMK_WORK_DIR="/usr/ports/work/$name"
    diff --git a/core/conf/prt-get.conf b/core/conf/prt-get.conf
    index 0504d3e..e210ca8 100644
    --- a/core/conf/prt-get.conf
    +++ b/core/conf/prt-get.conf
    @@ -5,20 +5,19 @@
     # note: the order matters: the package found first is used
     prtdir /usr/ports/core
     prtdir /usr/ports/opt
    +prtdir /usr/ports/contrib
    +prtdir /usr/ports/c9-ports
     prtdir /usr/ports/xorg
     
    +# 6c37 team provides a collection with freetype-iu, fontconfig-iu
    +# and cairo-iu ports.
    +
     # the following line enables the multilib compat-32 collection
     #prtdir /usr/ports/compat-32
     
     # the following line enables the user maintained contrib collection
    -prtdir /usr/ports/contrib
    -
    -# ports described on this documentation
    -#prtdir /usr/ports/c9-ports
    -
    -# 6c37 team provides a collection with freetype-iu, fontconfig-iu
    -# and cairo-iu ports.
    -#prtdir /usr/ports/6c37
    +prtdir /usr/ports/6c37-dropin
    +prtdir /usr/ports/6c37
     
     ### use mypackage form local directory
     # prtdir /home/packages/build:mypackage
    @@ -38,7 +37,7 @@ logfile  /usr/ports/pkgbuild/%n-%v-%r.log
     readme verbose           # (verbose|compact|disabled)
     
     ### prefer higher versions in sysup / diff
    -#preferhigher yes      # (yes|no)
    +preferhigher no     # (yes|no)
     
     ### use regexp search
     # useregex no        # (yes|no)
    @@ -51,7 +50,7 @@ runscripts yes            # (no|yes)
     ### EXPERT SECTION ###
     
     ### alternative commands
    -makecommand      sudo -H -u pkgmk -g pkgmk fakeroot pkgmk
    +makecommand      sudo -H -u pkgmk -g users fakeroot pkgmk
     addcommand       sudo pkgadd
     removecommand    sudo pkgrm
     runscriptcommand sudo sh
    diff --git a/core/conf/sysctl.conf b/core/conf/sysctl.conf
    index c421e59..4606791 100644
    --- a/core/conf/sysctl.conf
    +++ b/core/conf/sysctl.conf
    @@ -374,7 +374,7 @@ kernel.grsecurity.tpe_gid = 100
     #  users on the system.  If the sysctl option is enabled, a sysctl option
     #  with name "tpe_invert" is created.  Unlike other sysctl options, this
     #  entry will default to on for backward-compatibility.
    -kernel.grsecurity.tpe_invert = 1
    +kernel.grsecurity.tpe_invert = 0
     
     #  If you say Y here, all non-root users will be covered under
     #  a weaker TPE restriction.  This is separate from, and in addition to,
    diff --git a/core/network.html b/core/network.html
    index 4f1f20a..92f0e1e 100644
    --- a/core/network.html
    +++ b/core/network.html
    @@ -138,6 +138,12 @@
             # sh /etc/rc.d/iptables start
             
    +

    See current rules and packets;

    + +
    +        # iptables -L -n -v | less
    +        
    +

    Copy init script, edit if you dont like to let drop when you call stop.

    diff --git a/core/scripts/act-chroot.sh b/core/scripts/act-chroot.sh index f8ae571..5411bc5 100644 --- a/core/scripts/act-chroot.sh +++ b/core/scripts/act-chroot.sh @@ -21,15 +21,15 @@ BLK_HOME="${DEV}8" #read CHROOT CHROOT="/mnt" -mount $BLK_ROOT $CHROOT - -mount $BLK_BOOT $CHROOT/boot -mount $BLK_EFI $CHROOT/boot/efi - -mount $BLK_VAR $CHROOT/var -mount $BLK_USR $CHROOT/usr -mount $BLK_PRT $CHROOT/usr/ports -mount $BLK_HOME $CHROOT/home +#mount $BLK_ROOT $CHROOT +# +#mount $BLK_BOOT $CHROOT/boot +#mount $BLK_EFI $CHROOT/boot/efi +# +#mount $BLK_VAR $CHROOT/var +#mount $BLK_USR $CHROOT/usr +#mount $BLK_PRT $CHROOT/usr/ports +#mount $BLK_HOME $CHROOT/home #mount -vt devpts devpts $CHROOT/dev/pts #mount -vt tmpfs shm $CHROOT/dev/shm diff --git a/core/scripts/setup-install.sh b/core/scripts/setup-install.sh old mode 100644 new mode 100755 index 0e0a720..c1d2765 --- a/core/scripts/setup-install.sh +++ b/core/scripts/setup-install.sh @@ -1,24 +1,9 @@ -#!/bin/sh +#!/bin/bash # Set Global Vars ADMIN_USER=c9admin DEV=$1 - -CHROOT="/mnt" -##read BLK_EFI -BLK_EFI="${DEV}2" -##read BLK_BOOT -BLK_BOOT="${DEV}3" -##read BLK_ROOT -BLK_ROOT="${DEV}4" -##read BLK_VAR -BLK_VAR="${DEV}5" -##read BLK_USR -BLK_USR="${DEV}6" -##read BLK_SWP -BLK_SWP="${DEV}7" -##read BLK_HOME -BLK_HOME="${DEV}8" +CHROOT=$2 # Absolute path to this script, # e.g. /home/user/c9-doc/core/scripts/foo.sh @@ -57,133 +42,37 @@ ConfirmOrExit () } -setup_target () { - echo "1.1.2 Creating File System on $BLK_EFI with fat32:" - mkfs.fat -F 32 $BLK_EFI - echo "1.1.2 Creating File System on $BLK_BOOT with ext4:" - mkfs.ext4 $BLK_BOOT - echo "1.1.2 Creating File System on $BLK_ROOT with ext4:" - mkfs.ext4 $BLK_ROOT - echo "1.1.2 Creating File System on $BLK_VAR with ext4:" - mkfs.ext4 $BLK_VAR - echo "1.1.2 Creating File System on $BLK_USR with ext4:" - mkfs.ext4 $BLK_USR - echo "1.1.2 Creating Swap File System on $BLK_SWP:" - mkswap $BLK_SWP - echo "1.1.2 Creating File System on $BLK_HOME with ext4:" - mkfs.ext4 $BLK_HOME - - echo "1.1.3 mount point to chroot (/mnt):\n" - mount $BLK_ROOT $CHROOT - - mkdir -p $CHROOT/boot - mount $BLK_BOOT $CHROOT/boot - mkdir -p $CHROOT/boot/efi - mount $BLK_EFI $CHROOT/boot/efi - mkdir -p $CHROOT/var - mount $BLK_VAR $CHROOT/var - mkdir -p $CHROOT/usr - mount $BLK_USR $CHROOT/usr - mkdir -p $CHROOT/home - mount $BLK_HOME $CHROOT/home - - - mkdir -p $CHROOT/dev - mkdir -p $CHROOT/tmp - mkdir -p $CHROOT/proc - mkdir -p $CHROOT/sys - - mkdir -p $CHROOT/var/lib/pkg - mkdir -p $CHROOT/usr/ports - - mkdir -p $CHROOT/media - - mount --bind /dev $CHROOT/dev - mount -vt devpts devpts $CHROOT/dev/pts - mount -vt tmpfs shm $CHROOT/dev/shm - mount -vt proc proc $CHROOT/proc - mount -vt sysfs sysfs $CHROOT/sys - - modprobe isofs - modprobe loop - mount -o loop $ISO_FILE $CHROOT/media -} - -install_packages() { +install_core() { echo "1.1.4 Create core.lst and install pkgadd" - for p in $CHROOT/media/crux/core/*; do echo $p >> $CHROOT/core.lst; done + for p in ${CHROOT}mnt/media/crux/core/*; do echo $p >> ${CHROOT}core.lst; done - tar xf "$CHROOT/media/crux/core/pkgutils#5.40-1.pkg.tar.xz" usr/bin/pkgadd -O > $CHROOT/pkgadd + tar xf "${CHROOT}mnt/media/crux/core/pkgutils#5.40-1.pkg.tar.xz" usr/bin/pkgadd -O > ${CHROOT}pkgadd - chmod +x $CHROOT/pkgadd + chmod +x ${CHROOT}pkgadd echo "1.1.4 File core.lst complete, review list of packages before continue..." read PAUSE - vim $CHROOT/core.lst + vim ${CHROOT}core.lst echo "1.1.4 Starting install" - touch $CHROOT/var/lib/pkg/db + touch ${CHROOT}/var/lib/pkg/db cd $CHROOT while read line; do echo "Installing $line;\n" - $CHROOT/pkgadd -f -r $CHROOT $line - done < core.lst + ${CHROOT}pkgadd -u -f -r ${CHROOT} ${line} + done < ${CHROOT}core.lst - rm $CHROOT/pkgadd - rm $CHROOT/core.lst + rm ${CHROOT}pkgadd + rm ${CHROOT}core.lst - echo "1.1.5. Install extra packages;" - - mkdir $CHROOT/usr/ports/packages - cp $CHROOT/media/crux/core/* $CHROOT/usr/ports/packages - cp $CHROOT/media/crux/opt/* $CHROOT/usr/ports/packages - cp $CHROOT/media/crux/xorg/* $CHROOT/usr/ports/packages + mkdir ${CHROOT}usr/ports/packages + cp ${CHROOT}media/crux/core/* ${CHROOT}usr/ports/packages - echo "Installing $CHROOT/usr/ports/packages/fakeroot" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/fakeroot#* - echo "Installing $CHROOT/usr/ports/packages/dbus" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/dbus#* - echo "Installing $CHROOT/usr/ports/packages/expat" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/expat#* - echo "Installing $CHROOT/usr/ports/packages/libnl" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/libnl#* - echo "Installing $CHROOT/usr/ports/packages/libpng" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/libpng#* - echo "Installing $CHROOT/usr/ports/packages/freetype" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/freetype#* - echo "Installing $CHROOT/usr/ports/packages/libffi" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/libffi#* - echo "Installing $CHROOT/usr/ports/packages/sqlite3" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/sqlite3#* - echo "Installing $CHROOT/usr/ports/packages/python" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/python#* - echo "Installing $CHROOT/usr/ports/packages/glib" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/glib#* - echo "Installing $CHROOT/usr/ports/packages/grub2" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/grub2#* - echo "Installing $CHROOT/usr/ports/packages/grub2-efi" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/grub2-efi#* - echo "Installing $CHROOT/usr/ports/packages/wireless-tools" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/wireless-tools#* - echo "Installing $CHROOT/usr/ports/packages/wpa_supplicant" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/wpa_supplicant#* - echo "Installing $CHROOT/usr/ports/packages/lvm2" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/lvm2#* - echo "Installing $CHROOT/usr/ports/packages/mdadm" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/mdadm#* - echo "Installing $CHROOT/usr/ports/packages/efivar" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/efivar#* - echo "Installing $CHROOT/usr/ports/packages/efibootmgr" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/efibootmgr#* - echo "Installing $CHROOT/usr/ports/packages/dosfstools" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/dosfstools#* - - echo "1.1.6. Install extra ports;\n" +} - mkdir $CHROOT/usr/ports/c9-ports - cp -r $DIR_PRT/* $CHROOT/usr/ports/c9-ports/ +setup_core() { echo "1.1.7. dns resolver, copy resolv.conf;\n" cp /etc/resolv.conf $CHROOT/etc @@ -193,9 +82,6 @@ install_packages() { echo "1.1.9. Install Skeletons\n" cp -r $DIR_CONF/skel $CHROOT/etc/ -} - -host_metadata() { echo "1.2.1. Set hostname and hosts;" cp $DIR_CONF/hosts $CHROOT/etc/ @@ -229,9 +115,6 @@ host_metadata() { cp $DIR_CONF/rc.conf $CHROOT/etc/ vim $CHROOT/etc/rc.conf -} - -setup_ports() { echo "1.3.1. Build as unprivileged user;" chroot $CHROOT /usr/bin/env -i \ @@ -284,18 +167,59 @@ setup_ports() { #vim $CHROOT/etc/prt-get.conf } -echo "SCRIPT=$SCRIPT"; -echo "SCRIPTPATH=$SCRIPTPATH"; +install_packages() { -echo "Device: $DEV\n" + echo "1.1.5. Install extra packages;" + cp $CHROOT/media/crux/opt/* $CHROOT/usr/ports/packages + cp $CHROOT/media/crux/xorg/* $CHROOT/usr/ports/packages -echo "1.1.2 EFI block; ($BLK_EFI)" -echo "1.1.2 boot block; ($BLK_BOOT)" -echo "1.1.2 root block; ($BLK_ROOT)" -echo "1.1.2 var block; ($BLK_VAR)" -echo "1.1.2 usr block; ($BLK_USR)" -echo "1.1.2 swap block; ($BLK_SWP)" -echo "1.1.2 home block; ($BLK_HOME)\n" + echo "Installing $CHROOT/usr/ports/packages/fakeroot" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/fakeroot#* + echo "Installing $CHROOT/usr/ports/packages/dbus" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/dbus#* + echo "Installing $CHROOT/usr/ports/packages/expat" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/expat#* + echo "Installing $CHROOT/usr/ports/packages/libnl" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/libnl#* + echo "Installing $CHROOT/usr/ports/packages/libpng" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/libpng#* + echo "Installing $CHROOT/usr/ports/packages/freetype" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/freetype#* + echo "Installing $CHROOT/usr/ports/packages/libffi" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/libffi#* + echo "Installing $CHROOT/usr/ports/packages/sqlite3" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/sqlite3#* + echo "Installing $CHROOT/usr/ports/packages/python" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/python#* + echo "Installing $CHROOT/usr/ports/packages/glib" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/glib#* + echo "Installing $CHROOT/usr/ports/packages/grub2" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/grub2#* + echo "Installing $CHROOT/usr/ports/packages/grub2-efi" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/grub2-efi#* + echo "Installing $CHROOT/usr/ports/packages/wireless-tools" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/wireless-tools#* + echo "Installing $CHROOT/usr/ports/packages/wpa_supplicant" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/wpa_supplicant#* + echo "Installing $CHROOT/usr/ports/packages/lvm2" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/lvm2#* + echo "Installing $CHROOT/usr/ports/packages/mdadm" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/mdadm#* + echo "Installing $CHROOT/usr/ports/packages/efivar" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/efivar#* + echo "Installing $CHROOT/usr/ports/packages/efibootmgr" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/efibootmgr#* + echo "Installing $CHROOT/usr/ports/packages/dosfstools" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/dosfstools#* + + echo "1.1.6. Install extra ports;\n" + + mkdir $CHROOT/usr/ports/c9-ports + cp -r $DIR_PRT/* $CHROOT/usr/ports/c9-ports/ + +} +echo "SCRIPT=$SCRIPT"; +echo "SCRIPTPATH=$SCRIPTPATH"; echo "ADMIN_USER="$ADMIN_USER"\n" echo "CHROOT=$CHROOT"; @@ -307,9 +231,8 @@ echo "ISO_FILE=$ISO_FILE"; ConfirmOrExit echo "press enter to continue" read -setup_target -install_packages -host_metadata -setup_ports +install_core +#setup_core +#install_packages echo "Ready to chroot $CHROOT /bin/bash \n" diff --git a/core/scripts/setup-target.sh b/core/scripts/setup-target.sh old mode 100644 new mode 100755 index 6931fe9..d46d4bb --- a/core/scripts/setup-target.sh +++ b/core/scripts/setup-target.sh @@ -1,5 +1,36 @@ #!/bin/sh +DEV=/dev + +SETUP_TARGET="print" +CHROOT="/mnt" + +# Absolute path to this script, e.g. /home/user/bin/foo.sh +SCRIPT=$(readlink -f "$0") +# Absolute path this script is in, thus /home/user/bin +SCRIPTPATH=$(dirname "$SCRIPT") + +DIR=$(dirname "$SCRIPTPATH"); +DIR_LOCAL="$(dirname $(dirname ${DIR}))/local"; + +ISO_FILE="${DIR_LOCAL}/crux-3.3.iso" + +##read BLK_EFI +BLK_EFI="${DEV}2" +##read BLK_BOOT +BLK_BOOT="${DEV}3" +##read BLK_ROOT +BLK_ROOT="${DEV}4" +##read BLK_VAR +BLK_VAR="${DEV}5" +##read BLK_USR +BLK_USR="${DEV}6" +##read BLK_SWP +BLK_SWP="${DEV}7" +##read BLK_HOME +BLK_HOME="${DEV}8" + + # First we define the function ConfirmOrExit () { @@ -19,31 +50,173 @@ ConfirmOrExit () echo "You entered $CONFIRM. Continuing ..." } -DEV=$1 - -echo "Device: $DEV\n" -ConfirmOrExit - -parted --script $DEV \ - mklabel gpt \ - unit mib \ - mkpart primary 1 3 \ - name 1 grub \ - set 1 bios_grub on \ - mkpart ESP fat32 3 125 \ - name 2 efi \ - set 2 boot on \ - mkpart primary ext4 125 1128 \ - name 3 boot \ - mkpart primary ext4 1128 5128 \ - name 4 root \ - mkpart primary ext4 5128 6128 \ - name 5 var \ - mkpart primary ext4 6128 14128 \ - name 6 usr \ - mkpart primary linux-swap 14128 18128 \ - name 7 swap \ - mkpart primary ext4 18128 100% \ - name 8 home - -exit 0; + +partition_target () { + + parted --script $DEV \ + mklabel gpt \ + unit mib \ + mkpart primary 1 3 \ + name 1 grub \ + set 1 bios_grub on \ + mkpart ESP fat32 3 125 \ + name 2 efi \ + set 2 boot on \ + mkpart primary ext4 125 1128 \ + name 3 boot \ + mkpart primary ext4 1128 5128 \ + name 4 root \ + mkpart primary ext4 5128 6128 \ + name 5 var \ + mkpart primary ext4 6128 14128 \ + name 6 usr \ + mkpart primary linux-swap 14128 18128 \ + name 7 swap \ + mkpart primary ext4 18128 100% \ + name 8 home +} + +mount_target () { + echo "1.1.2 Creating File System on $BLK_EFI with fat32:" + mkfs.fat -F 32 $BLK_EFI + echo "1.1.2 Creating File System on $BLK_BOOT with ext4:" + mkfs.ext4 $BLK_BOOT + echo "1.1.2 Creating File System on $BLK_ROOT with ext4:" + mkfs.ext4 $BLK_ROOT + echo "1.1.2 Creating File System on $BLK_VAR with ext4:" + mkfs.ext4 $BLK_VAR + echo "1.1.2 Creating File System on $BLK_USR with ext4:" + mkfs.ext4 $BLK_USR + echo "1.1.2 Creating Swap File System on $BLK_SWP:" + mkswap $BLK_SWP + echo "1.1.2 Creating File System on $BLK_HOME with ext4:" + mkfs.ext4 $BLK_HOME + + echo "1.1.3 mount point to chroot (/mnt):\n" + mount $BLK_ROOT $CHROOT + + mkdir -p $CHROOT/boot + mount $BLK_BOOT $CHROOT/boot + + mkdir -p $CHROOT/boot/efi + mount $BLK_EFI $CHROOT/boot/efi + + mkdir -p $CHROOT/var + mount $BLK_VAR $CHROOT/var + + mkdir -p $CHROOT/usr + mount $BLK_USR $CHROOT/usr + + mkdir -p $CHROOT/home + mount $BLK_HOME $CHROOT/home + + mkdir -p $CHROOT/var/lib/pkg + mkdir -p $CHROOT/usr/ports + + mkdir -p $CHROOT/media + + mkdir -p $CHROOT/dev + mkdir -p $CHROOT/tmp + mkdir -p $CHROOT/proc + mkdir -p $CHROOT/sys + +} + +directory_target () { + + mkdir -p $CHROOT/home + mkdir -p $CHROOT/boot/efi + mkdir -p $CHROOT/var/lib/pkg + mkdir -p $CHROOT/usr/ports + + mkdir -p $CHROOT/media + + mkdir -p $CHROOT/dev + mkdir -p $CHROOT/tmp + mkdir -p $CHROOT/proc + mkdir -p $CHROOT/sys + +} + + +enable_target () { + + mount --bind /dev $CHROOT/dev + mount -vt devpts devpts $CHROOT/dev/pts + mount -vt tmpfs shm $CHROOT/dev/shm + mount -vt proc proc $CHROOT/proc + mount -vt sysfs sysfs $CHROOT/sys + + modprobe isofs + modprobe loop + mount -o loop $ISO_FILE $CHROOT/media +} + +print_target() { + echo "Device: $DEV" + echo "CHROOT: $CHROOT" + echo "ISO_FILE: $ISO_FILE" + echo "Option Selected: $SETUP_TARGET\n" + + echo "1.1.2 EFI block; ($BLK_EFI)" + echo "1.1.2 boot block; ($BLK_BOOT)" + echo "1.1.2 root block; ($BLK_ROOT)" + echo "1.1.2 var block; ($BLK_VAR)" + echo "1.1.2 usr block; ($BLK_USR)" + echo "1.1.2 swap block; ($BLK_SWP)" + echo "1.1.2 home block; ($BLK_HOME)\n" + + +} + +print_help() { + echo "usage: setup_target [options]" + echo "options:" + echo " -p, --partition create partitions and file systems" + echo " -m, --mount mount partitions on chroot" + echo " -d, --directory keep temporary working directory" + echo " -e, --enable enable chroot (proc,dev, sys...)" + echo " -v, --view view environment vars and exit" + echo " -h, --help print help and exit" +} + + +while [ "$1" ]; do + case $1 in + -p|--partition) + SETUP_TARGET="partition" + print_target + ConfirmOrExit + partition_target + exit 0 ;; + -m|--mount) + SETUP_TARGET="mount" + print_target + ConfirmOrExit + mount_target + exit 0 ;; + -d|--directory) + SETUP_TARGET="directory" + print_target + ConfirmOrExit + directory_target + exit 0 ;; + -e|--enable) + SETUP_TARGET="enable" + print_target + ConfirmOrExit + enable_target + exit 0 ;; + -v|--view) + SETUP_TARGET="view" + print_target + exit 0 ;; + -h|--help) + print_help + exit 0 ;; + *) + echo "setup-target: invalid option $1" + exit 1 ;; + esac + shift +done diff --git a/dev/c/index.html b/dev/c/index.html index 09374c6..684c7d2 100644 --- a/dev/c/index.html +++ b/dev/c/index.html @@ -7,6 +7,92 @@ Development Index +

    System Development

    + +

    System development requires debug kernel know how, + in this example will be used qemu and gdb. A simple init + program is created. Create init.S;

    + +
    +	.global _start
    +	_start:
    +	    mov $1, %rax
    +	    mov $1, %rdi
    +	    mov $message, %rsi
    +	    mov $message_len, %rdx
    +	    syscall
    +	    jmp .
    +	    message: .ascii "FOOBAR FOOBAR FOOBAR FOOBAR FOOBAR FOOBAR FOOBAR\n"
    +	    .equ message_len, . - message
    +	
    + +

    Assemble, link and create simple initial ram disk;

    + +
    +	mkdir d
    +	as --64 -o init.o init.S # assemble
    +	ld -o d/init init.o      # link
    +	cd d
    +	find . | cpio -o -H newc | gzip > ../rootfs.cpio.gz
    +	
    + +

    Clean temporary directory;

    + +
    +	cd ..
    +	rm -r d/
    +	
    + +

    Can be used C to create init program;

    + +
    +	#include <stdio.h>
    +	#include <unistd.h>
    +
    +	int main() {
    +	    printf("FOOBAR FOOBAR FOOBAR FOOBAR FOOBAR FOOBAR FOOBAR\n");
    +	    sleep(0xFFFFFFFF);
    +	    return 0;
    +	}
    +	
    + +
    +	$ gcc -static init.c -o init
    +	
    + +

    Test qemu, kernel and simple init program, you should see + "FOOBAR FOOBAR FOOBAR FOOBAR FOOBAR FOOBAR FOOBAR";

    + +
    +	$ qemu-system-x86_64 -enable-kvm --kernel arch/x86_64/boot/bzImage \
    +    	--initrd rootfs.cpio.gz
    +	
    + +

    If everything goes well you can start qemu without start CPU at + startup (-S) and with gdb server on TCP port 1234 (-s).

    + +
    +	$ qemu-system-x86_64 -enable-kvm --kernel arch/x86/boot/bzImage \
    +                --initrd rootfs.cpio.gz \
    +		-S -s
    +	
    + +

    On another terminal start gdb;

    + +
    +	gdb \
    +	    -ex "add-auto-load-safe-path $(pwd)" \
    +	    -ex "file vmlinux" \
    +	    -ex 'set arch i386:x86-64:intel' \
    +	    -ex 'target remote localhost:1234' \
    +	    -ex 'break start_kernel' \
    +	    -ex 'continue' \
    +	    -ex 'disconnect' \
    +	    -ex 'set arch i386:x86-64' \
    +	    -ex 'target remote localhost:1234'
    +	
    + +

    C & GDB

    C program with autotools @@ -74,7 +160,7 @@ thread 1 -

    Stopping and Starting +

    Stopping and Starting multi-thread programs

    @@ -86,8 +172,6 @@
             
             strace -c ./program
             
    - - Development Index

    This is part of the c9-doc Manual. diff --git a/tools/conf/etc/fonts/local.conf b/tools/conf/etc/fonts/local.conf new file mode 100644 index 0000000..64dc276 --- /dev/null +++ b/tools/conf/etc/fonts/local.conf @@ -0,0 +1,1542 @@ + + + + + + + + + + + + 96 + + + + + + + true + + + + + + + unknown + + + rgb + + + + + + + + + + + + Franklin Gothic Medium + Frutiger Linotype + + Lucida Sans Unicode + + + + 13.4 + + + + medium + + + + roman + + + + false + + + + + + + + + Comic Sans MS + + + 15 + + + medium + + + roman + + + false + + + + + + + Georgia + Lucida Sans + Lucida Sans Typewriter + + Microsoft Sans Serif + + Tahoma + Trebuchet MS + Verdana + + + 16.1 + + + medium + + + roman + + + + false + + + + + + + Arial + Arial Narrow + Berling Antiqua + Book Antiqua + Bookman Old Style + Garamond + + Lucida Console + Palatino Linotype + SylfaenARM + Times New Roman + + + 17.4 + + + medium + + + roman + + + false + + + + + + + Century Gothic + Kartika + + + 21.4 + + + medium + + + roman + + + false + + + + + + + Vrinda + + + 23 + + + medium + + + roman + + + false + + + + + + + Courier New + + + 29.4 + + + medium + + + roman + + + false + + + + + + + Georgia + + + 12 + + + medium + + + roman + + + false + + + + + + + Tahoma + Verdana + + + 13.4 + + + medium + + + roman + + + false + + + + + + + Courier New + + + 16 + + + medium + + + roman + + + false + + + + + + + + + hintfull + + + + + + + Bitstream Charter + Courier 10 Pitch + DejaVu Sans Condensed + DejaVu Serif Condensed + FreeMono + FreeSans + FreeSerif + Luxi Mono + Luxi Sans + Luxi Serif + MgOpen Canonica + MgOpen Cosmetica + MgOpen Modata + MgOpen Moderna + URW Bookman L + URW Chancery L + URW Gothic L + URW Palladio L + + + + true + + + + + + + Arial + + + 12 + + + 13.4 + + + medium + + + roman + + + true + + + + + + + Book Antiqua + + + 16 + + + medium + + + roman + + + true + + + + + + + + Frutiger Linotype + + Times New Roman + + Verdana + + + medium + + + roman + + + true + + + + + + + + 7 + + + 7 + + + + + + + 9.4 + + + 9.4 + + + + + + + + + Arial + + + 10.7 + + + medium + + + 10.7 + + + + + + + + 0 + + + + + true + + + + + + + + + Bitstream Charter + + + serif + + + + + + Bitstream Vera Sans + + + sans + + + + + + + DejaVu Sans + + + sans + + + + + + DejaVu Sans Condensed + + + Arial + + + + + + + + + Helvetica + + + Sans + + + + + + Helvetica Neue + + + Sans + + + + + + Lucida + + + Arial + + + + + + + LucidaBright + + + Arial + + + + + + Lucida Bright + + + Arial + + + + + + Luxi Sans + + + Arial + + + + + + MgOpen Cosmetica + + + Arial + + + + + + MgOpen Modata + + + Arial + + + + + + MgOpen Moderna + + + Arial + + + + + + System + + + Arial + + + + + + URW Gothic L + + + Arial + + + + + + + Verdana + + + Noto Sans + + + Open Sans + + + + + + + Bitstream Vera Serif + + + Georgia + + + + + + DejaVu Serif + + + Georgia + + + + + + DejaVu Serif Condensed + + + Georgia + + + + + + + + Luxi Serif + + + Georgia + + + + + + MgOpen Canonica + + + Georgia + + + + + + New Century Schoolbook + + + Georgia + + + + + + New York + + + Georgia + + + + + + Palatino + + + Georgia + + + + + + Times + + + Georgia + + + + + + URW Bookman L + + + Georgia + + + + + + URW Palladio L + + + Georgia + + + + + + + Andale Mono + + + monospace + + + + + + Bitstream Vera Sans Mono + + + Courier New + + + + + + Courier + + + monospace + + + + + + DejaVu Sans Mono + + + monospace + + + + + + Fixedsys + + + Courier New + + + + + + + + + LucidaTypewriter + + + Courier New + + + + + + Lucida Typewriter + + + Courier New + + + + + + Luxi Mono + + + Courier New + + + + + + Monaco + + + Courier New + + + + + + Terminal + + + Courier New + + + + + + + Apple Chancery + + + Comic Sans MS + + + + + + Lucida Handwriting + + + Comic Sans MS + + + + + + URW Chancery L + + + Comic Sans MS + + + + + + Zapf Chancery + + + Comic Sans MS + + + + + + + Copperplate + + + Impact + + + + + + Desdemona + + + Impact + + + + + + Kino + + + Impact + + + + + + Techno + + + Impact + + + + + + + + cursive + + Comic Sans MS + + + + + fantasy + + Impact + + + + + + + + + + + Arial + + + 12.0 + + + droid sans + + + + + + + + Arial + + + 13.0 + + + noto sans + + + + + + + Arial + + + noto sans + + + + + + + Georgia + + + Noto Serif + + + + + + + + noto sans + + + true + + + hintfull + + + + + + + ubuntu + + + true + + + hintfull + + + + + + + Droid Sans + Droid Sans Mono + + + false + + + hintfull + + + + + + + liberation mono + + + false + + + hintmedium + + + + + + + + + + + + + noto sans + + + 16 + + + medium + + + true + + + hintslight + + + + + + + noto sans + + + 16 + + + medium + + + true + + + true + + + hintslight + + + + + + + + + + + + + + + + + + + + + + + + monospace + + + Droid Sans Mono + + + + + + + sans-serif + + + Noto Sans + + + + + + + Courier New + + + Droid Sans Mono + + + + + + + + + + + + Times New Roman + serif + + + + Noto Serif + + + + + + + + Lucida Grande + + + medium + + + hintslight + + + + + + + + Lucida Console + + + true + + + false + + + hintfull + + + + + + + Open Sans + + + true + + + hintfull + + + + + + + + + + + hi + + + Lohit Hindi + + + + + + + gargi + Lohit Hindi + + + true + + + true + + + hintslight + + + + + + + mangal + + + Lohit Hindi + + + + + + diff --git a/tools/conf/etc/iptables/iptables-br.sh b/tools/conf/etc/iptables/iptables-br.sh new file mode 100644 index 0000000..104e574 --- /dev/null +++ b/tools/conf/etc/iptables/iptables-br.sh @@ -0,0 +1,318 @@ +#!/bin/sh + +# +# XXXXXXXXXXXXXXXXX +# XXXX Network XXXX +# XXXXXXXXXXXXXXXXX +# + +# | +# v +# +-------------+ +------------------+ +# |table: filter| <---+ | table: nat | +# |chain: INPUT | | | chain: PREROUTING| +# +-----+-------+ | +--------+---------+ +# | | | +# v | v +# [local process] | **************** +--------------+ +# | +---------+ Routing decision +------> |table: filter | +# v **************** |chain: FORWARD| +# **************** +------+-------+ +# Routing decision | +# **************** | +# | | +# v **************** | +# +-------------+ +------> Routing decision <---------------+ +# |table: nat | | **************** +# |chain: OUTPUT| | + +# +-----+-------+ | | +# | | v +# v | +-------------------+ +# +--------------+ | | table: nat | +# |table: filter | +----+ | chain: POSTROUTING| +# |chain: OUTPUT | +--------+----------+ +# +--------------+ | +# v +# XXXXXXXXXXXXXXXXX +# XXXX Network XXXX +# XXXXXXXXXXXXXXXXX +# +# iptables [-t table] {-A|-C|-D} chain rule-specification +# +# iptables [-t table] {-A|-C|-D} chain rule-specification +# +# iptables [-t table] -I chain [rulenum] rule-specification +# +# iptables [-t table] -R chain rulenum rule-specification +# +# iptables [-t table] -D chain rulenum +# +# iptables [-t table] -S [chain [rulenum]] +# +# iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...] +# +# iptables [-t table] -N chain +# +# iptables [-t table] -X [chain] +# +# iptables [-t table] -P chain target +# +# iptables [-t table] -E old-chain-name new-chain-name +# +# rule-specification = [matches...] [target] +# +# match = -m matchname [per-match-options] +# +# +# Targets +# +# can be a user defined chain +# +# ACCEPT - accepts the packet +# DROP - drop the packet on the floor +# QUEUE - packet will be stent to queue +# RETURN - stop traversing this chain and +# resume ate the next rule in the +# previeus (calling) chain. +# +# if packet reach the end of the chain or +# a target RETURN, default policy for that +# chain is applayed. +# +# Target Extensions +# +# AUDIT +# CHECKSUM +# CLASSIFY +# DNAT +# DSCP +# LOG +# Torn on kernel logging, will print some +# some information on all matching packets. +# Log data can be read with dmesg or syslogd. +# This is a non-terminating target and a rule +# should be created with matching criteria. +# +# --log-level level +# Level of logging (numeric or see sys- +# log.conf(5) +# +# --log-prefix prefix +# Prefix log messages with specified prefix +# up to 29 chars log +# +# --log-uid +# Log the userid of the process with gener- +# ated the packet +# NFLOG +# This target pass the packet to loaded logging +# backend to log the packet. One or more userspace +# processes may subscribe to the group to receive +# the packets. +# +# ULOG +# This target provides userspace logging of maching +# packets. One or more userspace processes may then +# then subscribe to various multicast groups and +# then receive the packets. +# +# +# Commands +# +# -A, --append chain rule-specification +# -C, --check chain rule-specification +# -D, --delete chain rule-specification +# -D, --delete chain rulenum +# -I, --insert chain [rulenum] rule-specification +# -R, --replace chain rulenum rule-specification +# -L, --list [chain] +# -P, --policy chain target +# +# Parameters +# +# -p, --protocol protocol +# tcp, udp, udplite, icmp, esp, ah, sctp, all +# -s, --source address[/mask][,...] +# -d, --destination address[/mask][,...] +# -j, --jump target +# -g, --goto chain +# -i, --in-interface name +# -o, --out-interface name +# -f, --fragment +# -m, --match options module-name +# iptables can use extended packet matching +# modules. +# -c, --set-counters packets bytes + +IPT="/usr/sbin/iptables" +SPAMLIST="blockedip" +SPAMDROPMSG="BLOCKED IP DROP" +# public interface to network/internet +PUB_IF="wlp7s0" +DHCP_SERV="192.168.1.1" +PUB_IP="192.168.1.33" +NET_ADDR="192.168.1.0/24" +# private interface for virtual/internal +PRIV_IF="br0" +PRIV_IP="10.0.0.1" + +modprobe ip_conntrack +modprobe ip_conntrack_ftp + +echo "Stopping ipv4 firewall and deny everyone..." + +iptables -F +iptables -X +iptables -t nat -F +iptables -t nat -X +iptables -t mangle -F +iptables -t mangle -X +iptables -t raw -F +iptables -t raw -X +iptables -t security -F +iptables -t security -X + + +echo "Starting ipv4 firewall filter table..." + +# Set Default Rules +iptables -P INPUT DROP +iptables -P FORWARD DROP +iptables -P OUTPUT DROP + +###### AP rules ###### +echo 1 > /proc/sys/net/ipv4/ip_forward +$IPT -A FORWARD -i ${PRIV_IF} -o ${PUB_IF} -j ACCEPT +$IPT -A FORWARD -i ${PUB_IF} -o ${PRIV_IF} -j ACCEPT +$IPT -t nat -A POSTROUTING -o ${PUB_IF} -j SNAT --to ${PUB_IP} + +# Block sync +$IPT -A INPUT -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: " +$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP + +# Block Fragments +$IPT -A INPUT -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: " +$IPT -A INPUT -f -j DROP + +# Block bad stuff +$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP +$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP + +$IPT -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: " +$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # NULL packets + +$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: " +$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + +$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: " +$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS + +$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: " +$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans + +$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP + + +###### Input Chain ###### + +# Unlimited on local +$IPT -A INPUT -i ${PRIV_IF} -j ACCEPT +#$IPT -A INPUT -i lo -s ${PRIV_IP} -j ACCEPT + +# Unlimited on loopback +$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +$IPT -A INPUT -i lo -s 192.168.1.33 -d 192.168.1.33 -j ACCEPT + +echo "Allow input from DNS Server" +$IPT -A INPUT -i ${PUB_IF} -p udp --dport 1024:65535 --sport 53 -m state --state ESTABLISHED -j ACCEPT + +echo "Allow input from Https server" +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + +echo "Allow input to HTTPS Server" +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT + +#echo "Allow input from HTTP Server" +#$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + +echo "Allow input from IRC server" +$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 1024:65535 --sport 6667 -m state --state ESTABLISHED -j ACCEPT + +echo "Allow input from FTP server" +$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 1024:65535 --sport 21 -m state --state ESTABLISHED -j ACCEPT + +echo "Allow input from git server" +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + +echo "Allow input from POP3S server" +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + +echo "Allow input from SMTPS server" +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + +echo "Allow input to HTTP Server" +$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT + +#echo "Allow input to DNS Server" +#$IPT -A INPUT -i ${PUB_IF} -p udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT + +echo "Allow input to SSH server" +$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + +###### Output Chain ###### + +# Unlimited on loopback +$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +$IPT -A OUTPUT -o lo -s 192.168.1.33 -d 192.168.1.33 -j ACCEPT +#$IPT -A OUTPUT -o lo -d ${PRIV_IP} -j ACCEPT + +# Unlimited on local +$IPT -A OUTPUT -o ${PRIV_IF} -j ACCEPT + +echo "Allow output to DNS server" +$IPT -A OUTPUT -o ${PUB_IF} -p udp --dport 53 --sport 1024:65535 -j ACCEPT + +echo "Allow output to https server" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:65535 --dport 443 -j ACCEPT + +echo "Allow output from https server" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT + +#echo "Allow output from http server" +#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT + +#echo "Allow to HTTP server" +#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT + +echo "Allow output to SSH server" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT + +echo "Allow output to ftp server" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT + +echo "Allow output to git server" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT + +echo "Allow output to IRC server" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT + +echo "Allow output to SMTPS server" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 465 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + +echo "Allow output to POP3S server" +$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 995 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + +## less logs + +echo "Drop RIP protocol" +$IPT -A INPUT -i ${PUB_IF} -p udp --sport 520 --dport 520 -s $NET_ADDR -j DROP + +$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 68 --dport 67 -d $DHCP_SERV -j ACCEPT + +## log everything else and drop +$IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " +$IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " +$IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " +# +exit 0 diff --git a/tools/conf/etc/iptables/vlan.v4 b/tools/conf/etc/iptables/vlan.v4 index 9248630..7954521 100644 --- a/tools/conf/etc/iptables/vlan.v4 +++ b/tools/conf/etc/iptables/vlan.v4 @@ -1,170 +1,112 @@ -# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016 +# Generated by iptables-save v1.6.1 on Wed Mar 15 20:53:45 2017 *security -:INPUT ACCEPT [6:2056] +:INPUT ACCEPT [85:6694] :FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [6:2056] +:OUTPUT ACCEPT [3:179] COMMIT -# Completed on Sat Oct 15 17:20:41 2016 -# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016 +# Completed on Wed Mar 15 20:53:45 2017 +# Generated by iptables-save v1.6.1 on Wed Mar 15 20:53:45 2017 *raw -:PREROUTING ACCEPT [7:2092] -:OUTPUT ACCEPT [6:2056] +:PREROUTING ACCEPT [97:7863] +:OUTPUT ACCEPT [3:179] COMMIT -# Completed on Sat Oct 15 17:20:41 2016 -# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016 +# Completed on Wed Mar 15 20:53:45 2017 +# Generated by iptables-save v1.6.1 on Wed Mar 15 20:53:45 2017 +*nat +:PREROUTING ACCEPT [6:683] +:INPUT ACCEPT [2:138] +:OUTPUT ACCEPT [2:131] +:POSTROUTING ACCEPT [2:131] +COMMIT +# Completed on Wed Mar 15 20:53:45 2017 +# Generated by iptables-save v1.6.1 on Wed Mar 15 20:53:45 2017 *mangle -:PREROUTING ACCEPT [7:2092] -:INPUT ACCEPT [6:2056] +:PREROUTING ACCEPT [8:624] +:INPUT ACCEPT [8:624] :FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [6:2056] -:POSTROUTING ACCEPT [6:2056] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] COMMIT -# Completed on Sat Oct 15 17:20:41 2016 -# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016 +# Completed on Wed Mar 15 20:53:45 2017 +# Generated by iptables-save v1.6.1 on Wed Mar 15 20:53:45 2017 *filter :INPUT DROP [0:0] -:FORWARD ACCEPT [0:0] +:FORWARD DROP [0:0] :OUTPUT DROP [0:0] +:ACCEPTLOG - [0:0] +:DROPLOG - [0:0] +:REJECTLOG - [0:0] +:RELATED_ICMP - [0:0] +:SYN_FLOOD - [0:0] -A INPUT -i lo -j ACCEPT --A INPUT -i br0 -j ACCEPT --A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7 --A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP --A INPUT -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: " --A INPUT -f -j DROP +-A INPUT -p icmp -m limit --limit 1/sec --limit-burst 2 -j ACCEPT +-A INPUT -p icmp -m limit --limit 1/sec --limit-burst 2 -j LOG --log-prefix "PING-DROP:" +-A INPUT -p icmp -j DROP +-A INPUT -p icmp -f -j DROPLOG +-A INPUT -p icmp -m state --state ESTABLISHED -m limit --limit 3/sec --limit-burst 8 -j ACCEPT +-A INPUT -p icmp -m state --state RELATED -m limit --limit 3/sec --limit-burst 8 -j RELATED_ICMP +-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 8 -j ACCEPT +-A INPUT -p icmp -j DROPLOG +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP +-A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP +-A INPUT -m state --state INVALID -j DROP +-A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP +-A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop null: " --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP --A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop syn rst syn rs" -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop xmas: " -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP --A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop fin scan: " --A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP --A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP -################################################################################# -# INPUT -# Established connections and passive -# - -# Allow established from dns server -#-A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -# INPUT accept passive --A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED -j ACCEPT - - -# Allow irc --A INPUT -p tcp -m tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -# Allow xmmp --A INPUT -p tcp -m tcp --sport 5222 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT -# Allow established from https server --A INPUT -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT --A INPUT -p udp -m udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - -# Allow established from http server --A INPUT -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -# Allow established from rsync server --A INPUT -p tcp -m tcp --sport 873 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -# Allow established from pop3s server --A INPUT -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -# Allow established from smtps server --A INPUT -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -# Allow established from ntp server --A INPUT -p udp -m udp --sport 123 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -# Allow established from whois server --A INPUT -p tcp -m tcp --sport 43 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -# Allow established from ftp server --A INPUT -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A INPUT -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A INPUT -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -################################################################################## -# INPUT -# New and established connections to local servers -# - -# allow ping --A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT --A INPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT - -# INPUT accept to dns server --A INPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT - -# INPUT accept from wlp7s0 to https server +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROPLOG +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROPLOG +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROPLOG +-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROPLOG +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROPLOG +-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROPLOG +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROPLOG +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j SYN_FLOOD +-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROPLOG +-A INPUT -f -j DROPLOG -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT -# INPUT accept from wlp7s0 to ssh server --A INPUT -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state ESTABLISHED -j ACCEPT --A INPUT -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW -m limit --limit 6/min --limit-burst 3 -j ACCEPT - --A FORWARD -i br0 -j ACCEPT - --A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7 --A FORWARD -j LOG --log-prefix "iptables: FORWARD: " --log-level 7 - -################################################################################## -# Output -# Connections to remote servers -# +-A INPUT -j DROPLOG +-A FORWARD -p icmp -f -j DROPLOG +-A FORWARD -p icmp -j DROPLOG +-A FORWARD -m state --state INVALID -j DROP +-A FORWARD -j REJECTLOG -A OUTPUT -o lo -j ACCEPT --A OUTPUT -o br0 -j ACCEPT - -# Allow ping --A OUTPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -# Allow to ssh clients +-A OUTPUT -p icmp -j ACCEPT +-A OUTPUT -p icmp -f -j DROPLOG +-A OUTPUT -p icmp -m state --state ESTABLISHED -m limit --limit 3/sec --limit-burst 8 -j ACCEPT +-A OUTPUT -p icmp -m state --state RELATED -m limit --limit 3/sec --limit-burst 8 -j RELATED_ICMP +-A OUTPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 8 -j ACCEPT +-A OUTPUT -p icmp -j DROPLOG +-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -m state --state INVALID -j DROP +-A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - -# Allow to dns -#-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow from dns server --A OUTPUT -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT - -# Allow irc +-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow xmmp --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 5222 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT - - -# Allow to rsync server +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 5222 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to pop3s server -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to smtps server -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to ntp server -A OUTPUT -p udp -m udp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to ftp server -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to https server --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT --A OUTPUT -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT -# Allow to http server +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT - -################################################################################## -# Output -# Connections from local servers -# - - --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED -j ACCEPT --A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state NEW -j ACCEPT - - --A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7 -COMMIT -# Completed on Sat Oct 15 17:20:41 2016 -# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016 -*nat -:PREROUTING ACCEPT [1:36] -:INPUT ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -:POSTROUTING ACCEPT [0:0] - --A POSTROUTING -s 10.0.0.0/24 -d 10.0.0.0/24 -j ACCEPT --A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE -#-A POSTROUTING -o wlp7s0 -j MASQUERADE - +-A OUTPUT -j DROPLOG +-A ACCEPTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: ACCEPT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options +-A ACCEPTLOG -j ACCEPT +-A DROPLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: DROP " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options +-A DROPLOG -j DROP +-A REJECTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: REJECT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options +-A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset +-A REJECTLOG -j REJECT --reject-with icmp-port-unreachable +-A RELATED_ICMP -p icmp -m icmp --icmp-type 3 -j ACCEPT +-A RELATED_ICMP -p icmp -m icmp --icmp-type 11 -j ACCEPT +-A RELATED_ICMP -p icmp -m icmp --icmp-type 12 -j ACCEPT +-A RELATED_ICMP -j DROPLOG +-A SYN_FLOOD -m limit --limit 2/sec --limit-burst 6 -j RETURN +-A SYN_FLOOD -j DROP COMMIT -# Completed on Sat Oct 15 17:20:41 2016 +# Completed on Wed Mar 15 20:53:45 2017 diff --git a/tools/conf/etc/nginx/sites-enabled/default.conf b/tools/conf/etc/nginx/sites-enabled/default.conf index 4e01b88..f7c3484 100644 --- a/tools/conf/etc/nginx/sites-enabled/default.conf +++ b/tools/conf/etc/nginx/sites-enabled/default.conf @@ -1,49 +1,103 @@ - server { + +#listen 443 ssl http2; listen 443 ssl; - # listen [::]:443 ssl; +# listen 80; server_name c9.core; - root /srv/www/default; +# listen [::]:443 ssl http2; + ssl_certificate /etc/letsencrypt/live/c9.core/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/c9.core/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/c9.core/chain.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:50m; + ssl_session_tickets off; + ssl_protocols TLSv1.2; + ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_prefer_server_ciphers on; + add_header Strict-Transport-Security max-age=15768000; + ssl_stapling on; + ssl_stapling_verify on; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + + root /srv/www; + + location /ports/distfiles { + alias /usr/ports/distfiles; + } + + location /ports/packages { + alias /usr/ports/distfiles; + } + + location /doc { + alias /srv/www/c9-doc; + index index.html; + } - location /distfiles { - alias /usr/ports/distfiles; + location /git/static { +# static files (png/css) served from /usr/share/gitweb/static + alias /srv/www/gitweb/static; + expires 30d; } + location /git { + alias /srv/www/gitweb; + index gitweb.cgi; + fastcgi_split_path_info ^/git()(/?.+)$; + fastcgi_param GITWEB_CONFIG /etc/gitweb.conf; + fastcgi_param DOCUMENT_ROOT /srv/www/gitweb; + fastcgi_param SCRIPT_NAME /gitweb.cgi$fastcgi_path_info; - location /bug { + include fastcgi_params; + fastcgi_pass unix:/var/run/fcgiwrap.sock; + } + + location /task { index index.php; - alias /srv/www/default/flyspray; + alias /srv/www/c9-flyspray; try_files $uri $uri/ index.php$is_args$args; } - location ~ ^/bug(.+\.php)$ { ### This location block was the solution - alias /srv/www/default/flyspray; - - fastcgi_split_path_info ^(.+\.php)(/.+)$; + location ~ ^/task(.+\.php)$ { ### This location block was the solution + alias /srv/www/c9-flyspray; + fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_index index.php; try_files $uri /index.php =404; include /etc/nginx/fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$1; - # fastcgi_pass unix:/var/run/php5-fpm.sock; +# fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_pass 127.0.0.1:9000; } location / { - alias /srv/www/default/pmwiki/; - index pmwiki.php + alias /srv/www/c9-pmwiki/; + index pmwiki.php; try_files $uri $uri/ /pmwiki.php$is_args$args; } +# ACME challenge + location ^~ /.well-known { + allow all; + alias /srv/www/c9-pmwiki/pub/cert/.well-known/; + default_type "text/plain"; + try_files $uri =404; + } + + location ~ \.php$ { - alias /srv/www/default/pmwiki; + alias /srv/www/c9-pmwiki; + index pmwiki.php; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_index pmwiki.php; try_files $uri /pmwiki.php =404; include /etc/nginx/fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - # fastcgi_pass unix:/var/run/php5-fpm.sock; +# fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_pass 127.0.0.1:9000; } } diff --git a/tools/conf/etc/ssh/sshd_config b/tools/conf/etc/ssh/sshd_config index f0619fe..cba9be5 100644 --- a/tools/conf/etc/ssh/sshd_config +++ b/tools/conf/etc/ssh/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.98 2016/02/17 05:29:04 djm Exp $ +# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -16,45 +16,28 @@ AddressFamily inet #ListenAddress 0.0.0.0 #ListenAddress :: -# The default requires explicit activation of protocol 1 -Protocol 2 - -# HostKey for protocol version 1 -#HostKey /etc/ssh/ssh_host_key -# HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key -# Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 1h -#ServerKeyBits 1024 - # Ciphers and keying #RekeyLimit default none -Ciphers aes256-ctr,aes192-ctr,aes128-ctr # Logging -# obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO LogLevel VERBOSE # Authentication: -LoginGraceTime 1m +#LoginGraceTime 2m #PermitRootLogin prohibit-password -PermitRootLogin no #StrictModes yes #MaxAuthTries 6 -MaxAuthTries 3 #MaxSessions 10 -#RSAAuthentication yes -PubkeyAuthentication yes - -AllowGroups admin users gitolite +#PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys @@ -66,23 +49,19 @@ AuthorizedKeysFile .ssh/authorized_keys #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#RhostsRSAAuthentication no -# similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for -# RhostsRSAAuthentication and HostbasedAuthentication +# HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes -PasswordAuthentication no #PermitEmptyPasswords no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes -ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no @@ -116,7 +95,6 @@ ChallengeResponseAuthentication no #PrintLastLog yes #TCPKeepAlive yes #UseLogin no -UsePrivilegeSeparation sandbox #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 diff --git a/tools/nginx.html b/tools/nginx.html index a85cf0e..ef78ecb 100644 --- a/tools/nginx.html +++ b/tools/nginx.html @@ -43,7 +43,7 @@

    2. Certificates

    -

    2.1. Lets encrypt

    +

    2.1. Lets encrypt

    Example of nginx location block on public pmwiki setup;

    @@ -57,6 +57,12 @@ }
    +

    First run dryrun to test if everything is ok;

    + +
    +        # certbot certonly --dry-run --email user@mail.org --webroot -w /srv/www/c9-pmwiki/pub/cert/-d c9.root.sx
    +        
    +
             # certbot certonly --email user@mail.org --webroot -w /srv/www/c9-pmwiki/pub/cert/-d c9.root.sx
             
    diff --git a/tools/qemu.html b/tools/qemu.html index c914d74..fc0f15c 100644 --- a/tools/qemu.html +++ b/tools/qemu.html @@ -234,11 +234,89 @@

    Set guests machines to run under the total resolution provided by host system configure grub on the guest with gfxmode;

    +

    Guest Graphics

    + +

    Get current resolution on host machine;

    +
    -        GRUB_GFXMODE=640x480
    +        $ xrandr --current | fgrep '*'
    +            1366x768      60.00*+
    +        
    + +

    Set grub gfxmod on guest machine, edit /etc/default/grub;

    + +
    +        GRUB_GFXMODE=1366x768
             GRUB_GFXPAYLOAD_LINUX=keep
             
    +

    Update grub configuration on guest machine;

    + +
    +        # update-grub
    +        
    + +

    Guest Sound

    + +

    Check if DMAR is enable on kernel configuration, + Intel and AMD uses different technology. To check on + Inter machine run;

    + +
    +	# grep -e DMAR -e IOMMU
    +	
    + +

    runvm/profile/crux

    + +
    +        export QEMU_AUDIO_DRV=alsa
    +        #export QEMU_AUDIO_DRV=sdl
    +
    +
    +        #boot=$1
    +        boot=c
    +
    +        iso=iso/crux-3.2.iso
    +        #iso=$2
    +
    +        #image=$3
    +        image=img/crux-img.qcow2
    +
    +        #tap=$4
    +        tap="tap1"
    +
    +        #mac=$(rmac_addr)
    +        mac="54:60:be:ef:5c:72"
    +
    +        other="-soundhw hda"
    +        
    + +

    runvm/runvm.sh

    + +
    +        function rmac_addr (){
    +        printf '54:60:BE:EF:%02X:%02X\n' $((RANDOM%256)) $((RANDOM%256))
    +        }
    +
    +        source profile/$1
    +        boot=$2
    +
    +        #mac=$(rmac_addr)
    +
    +        qemu-system-x86_64 \
    +            -enable-kvm \
    +            -m 1024 \
    +            -boot ${boot} \
    +            -cdrom ${iso} \
    +            -hda ${image} \
    +            -vga std \
    +            -display sdl \
    +            -device e1000,netdev=t0,mac=${mac} \
    +            -netdev tap,id=t0,ifname=${tap},script=no,downscript=no \
    +            ${other} \
    +            &>
    +        
    + Tools Index

    This is part of the c9 Manual. Copyright (C) 2016 diff --git a/tools/scripts/pkgmk-test.conf b/tools/scripts/pkgmk-test.conf index db9978d..1ebdccb 100644 --- a/tools/scripts/pkgmk-test.conf +++ b/tools/scripts/pkgmk-test.conf @@ -2,11 +2,13 @@ # /etc/pkgmk.conf: pkgmk(8) configuration # -export CFLAGS="-O2 -march=x86-64" +export CPPFLAGS="-D_FORTIFY_SOURCE=2" +export CFLAGS="-O2 -march=native -mtune=native -pipe -fPIC -fPIE -fstack-protector-strong --param=ssp-buffer-size=4 -fno-plt -fstack-check" export CXXFLAGS="${CFLAGS}" - +export LDFLAGS="-fPIE -pie -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now" export MAKEFLAGS="-j4" + case ${PKGMK_ARCH} in "64"|"") ;; @@ -34,5 +36,3 @@ PKGMK_SOURCE_MIRRORS=(https://c9.root.sx/ports/distfiles/) # PKGMK_WGET_OPTS="" # PKGMK_CURL_OPTS="" # PKGMK_COMPRESSION_MODE="gz" - - diff --git a/tools/scripts/pkgmk-test.sh b/tools/scripts/pkgmk-test.sh index 5509ac2..a279967 100644 --- a/tools/scripts/pkgmk-test.sh +++ b/tools/scripts/pkgmk-test.sh @@ -2,4 +2,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" CONF=${DIR}/pkgmk-test.conf -fakeroot pkgmk -cf $CONF -d $1 +fakeroot pkgmk -cf $CONF -d -is $1 -- cgit 1.4.1-2-gfad0