From 5ff68b8c191272fe9c80765fa6ac11c18aee3224 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Sat, 4 Feb 2017 19:44:23 +0000 Subject: qemu and pkgmk-test.conf revision --- tools/qemu.html | 36 +++++++++++++++++++++++++----------- 1 file changed, 25 insertions(+), 11 deletions(-) (limited to 'tools/qemu.html') diff --git a/tools/qemu.html b/tools/qemu.html index 86fb7aa..1c58e49 100644 --- a/tools/qemu.html +++ b/tools/qemu.html @@ -193,9 +193,17 @@

Guest System

-

See scripts/system-qemu.sh, - as template. Run virtual machine that uses above tap device;

+

See scripts/runvm/runvm.sh, + as template. Example scripts;

+

runvm/profile/crux

+ 
+        iso=iso/crux-3.2.iso
+        image=img/crux-img.qcow2
+        tap="tap1"
+
+ +

runvm/runvm.sh

         #!/bin/bash
 
@@ -203,14 +211,9 @@
         printf '54:60:BE:EF:%02X:%02X\n' $((RANDOM%256)) $((RANDOM%256))
         }
 
-        #boot=d
-        boot=$1
-        #iso=crux-3.2.iso
-        iso=$2
-        #image=crux-img.qcow2
-        image=$3
-        #tap="tap1"
-        tap=$4
+        source profile/$1
+        boot=$2
+
         mac=$(rmac_addr)
 
         qemu-system-x86_64 \
@@ -219,8 +222,19 @@
             -boot ${boot} \
             -cdrom ${iso} \
             -hda ${image} \
+            -vga std \
+            -display sdl \
             -device e1000,netdev=t0,mac=${mac} \
-            -netdev tap,id=t0,ifname=${tap},script=no,downscript=no
+            -netdev tap,id=t0,ifname=${tap},script=no,downscript=no \
+            &
+
+ +

Set guests machines to run under the total resolution provided + by host system configure grub on the guest with gfxmode;

+ + 
+        GRUB_GFXMODE=640x480
+        GRUB_GFXPAYLOAD_LINUX=keep
Tools Index -- cgit 1.4.1-2-gfad0 From d26a4e12deafade205d37a9fda748a6b78dfdb6a Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Sat, 25 Feb 2017 18:40:03 +0000 Subject: overall revesion --- core/bash.html | 10 +- core/conf/iptables/iptables-lan.sh | 143 ++++++++++++++++++--------- core/conf/iptables/rules.v4 | 76 +++++++------- core/conf/sysctl.conf | 148 +++++++++++++++------------- core/dash.html | 4 +- core/exim.html | 33 ++++--- core/grsecurity.html | 85 ++++++++++++++++ core/hardening.html | 197 +++++++++++++++++++++++++++++++++++++ core/index.html | 51 +++++----- core/linux.html | 71 +++++++------ core/network.html | 16 +-- core/package.html | 16 +-- core/ports.html | 8 +- core/reboot.html | 11 ++- core/scripts/setup-install.sh | 2 +- core/tmux.html | 6 +- core/tty-terminal.html | 4 +- tools/conf/etc/rc.d/dnscrypt-proxy | 5 +- tools/dnsmasq.html | 7 +- tools/gitolite.html | 3 +- tools/index.html | 6 -- tools/mutt.html | 10 +- tools/qemu.html | 18 ++-- tools/x.html | 28 ++++-- 24 files changed, 671 insertions(+), 287 deletions(-) create mode 100644 core/grsecurity.html create mode 100644 core/hardening.html (limited to 'tools/qemu.html') diff --git a/core/bash.html b/core/bash.html index 2c1f6e9..353d7df 100644 --- a/core/bash.html +++ b/core/bash.html @@ -2,12 +2,12 @@ - 2.4.2. Bash + 2.5.2. Bash Core OS Index -

2.4.2. Bash

+

2.5.2. Bash

Just to be sure, setup bash as default login;

@@ -32,7 +32,7 @@ alias, editor. -

2.4.2.1. Profile

+

2.5.2.1. Profile

Example of ~/.profile;

@@ -43,7 +43,7 @@ export SSH_AUTH_SOCK # enable gpg-agent for ssh -

2.4.2.2. Bash RC

+

2.5.2.2. Bash RC

Example of ~/.bashrc;

@@ -106,7 +106,7 @@ fi -

2.4.2.3. Bash profile

+

2.5.2.3. Bash profile

Example of ~/.bash_profile;

diff --git a/core/conf/iptables/iptables-lan.sh b/core/conf/iptables/iptables-lan.sh index fae7345..58d92c3 100644 --- a/core/conf/iptables/iptables-lan.sh +++ b/core/conf/iptables/iptables-lan.sh @@ -26,8 +26,7 @@ NIC_NAME="enp8s0 wlp7s0" # Logging options. #------------------------------------------------------------------------------ -LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options" -LOG="$LOG --log-ip-options" +LOG="LOG --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options" # Defaults for rate limiting @@ -59,9 +58,9 @@ $MODPROBE ip_conntrack_irc # Drop everything by default. $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP -$IPTABLES -P OUTPUT ACCEPT +$IPTABLES -P OUTPUT DROP -# Set the nat/mangle/raw tables' chains to ACCEPT +# Set the nat/mangle/raw tables' chains to DROP $IPTABLES -t mangle -P PREROUTING ACCEPT $IPTABLES -t mangle -P INPUT ACCEPT @@ -89,53 +88,58 @@ $IPTABLES -t mangle -Z # Block all IPv6 traffic # If the ip6tables command is available, try to block all IPv6 traffic. -if test -x $IP6TABLES; then +#if test -x $IP6TABLES; then # Set the default policies # drop everything -$IP6TABLES -P INPUT DROP 2>/dev/null -$IP6TABLES -P FORWARD DROP 2>/dev/null -$IP6TABLES -P OUTPUT DROP 2>/dev/null - -# The mangle table can pass everything -$IP6TABLES -t mangle -P PREROUTING ACCEPT 2>/dev/null -$IP6TABLES -t mangle -P INPUT ACCEPT 2>/dev/null -$IP6TABLES -t mangle -P FORWARD ACCEPT 2>/dev/null -$IP6TABLES -t mangle -P OUTPUT ACCEPT 2>/dev/null -$IP6TABLES -t mangle -P POSTROUTING ACCEPT 2>/dev/null +#$IP6TABLES -P INPUT DROP +#$IP6TABLES -P FORWARD DROP +#$IP6TABLES -P OUTPUT DROP +# +## The mangle table can pass everything +#$IP6TABLES -t mangle -P PREROUTING ACCEPT +#$IP6TABLES -t mangle -P INPUT ACCEPT +#$IP6TABLES -t mangle -P FORWARD ACCEPT +#$IP6TABLES -t mangle -P OUTPUT ACCEPT +#$IP6TABLES -t mangle -P POSTROUTING ACCEPT # Delete all rules. -$IP6TABLES -F 2>/dev/null -$IP6TABLES -t mangle -F 2>/dev/null - -# Delete all chains. -$IP6TABLES -X 2>/dev/null -$IP6TABLES -t mangle -X 2>/dev/null - -# Zero all packets and counters. -$IP6TABLES -Z 2>/dev/null -$IP6TABLES -t mangle -Z 2>/dev/null -fi +#$IP6TABLES -F 2>/dev/null +#$IP6TABLES -t mangle -F 2>/dev/null +# +## Delete all chains. +#$IP6TABLES -X 2>/dev/null +#$IP6TABLES -t mangle -X 2>/dev/null +# +## Zero all packets and counters. +#$IP6TABLES -Z 2>/dev/null +#$IP6TABLES -t mangle -Z 2>/dev/null +#fi # Custom user-defined chains. #------------------------------------------------------------------------------ # LOG packets, then ACCEPT. $IPTABLES -N ACCEPTLOG -$IPTABLES -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "ACCEPT " +$IPTABLES -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "iptables: ACCEPT " $IPTABLES -A ACCEPTLOG -j ACCEPT # LOG packets, then DROP. $IPTABLES -N DROPLOG -$IPTABLES -A DROPLOG -j $LOG $RLIMIT --log-prefix "DROP " +$IPTABLES -A DROPLOG -j $LOG $RLIMIT --log-prefix "iptables: DROP " $IPTABLES -A DROPLOG -j DROP # LOG packets, then REJECT. # TCP packets are rejected with a TCP reset. $IPTABLES -N REJECTLOG -$IPTABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "REJECT " +$IPTABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "iptables: REJECT " $IPTABLES -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset $IPTABLES -A REJECTLOG -j REJECT +# Allow loopback interface to do anything. +$IPTABLES -A INPUT -i lo -j ACCEPT +$IPTABLES -A OUTPUT -o lo -j ACCEPT + + # Only allows RELATED ICMP types # (destination-unreachable, time-exceeded, and parameter-problem). # TODO: Rate-limit this traffic? @@ -185,10 +189,6 @@ $IPTABLES -A FORWARD -p icmp -j DROPLOG # Selectively allow certain special types of traffic. #------------------------------------------------------------------------------ -# Allow loopback interface to do anything. -$IPTABLES -A INPUT -i lo -j ACCEPT -$IPTABLES -A OUTPUT -o lo -j ACCEPT - # Allow incoming connections related to existing allowed connections. $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT @@ -199,7 +199,7 @@ $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #------------------------------------------------------------------------------ # We don't care about Milkosoft, Drop SMB/CIFS/etc.. -# ^ person before me; my label = psychogreedyevilsoft +# ^ greedyevilsoft $IPTABLES -A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP $IPTABLES -A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP @@ -234,12 +234,13 @@ $IPTABLES -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN $IPTABLES -A SYN_FLOOD -j DROP -$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7 -$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP - -$IPTABLES -A INPUT -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: " -$IPTABLES -A INPUT -f -j DROP +#$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 30/min --limit-burst 7 -j DROPLOG --log-prefix "iptables: drop sync: " --log-level 7 +#$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP +$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROPLOG +#$IPTABLES -A INPUT -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: " +#$IPTABLES -A INPUT -f -j DROP +$IPTABLES -A INPUT -f -j DROPLOG # TODO: ICQ, MSN, GTalk, Skype, Yahoo, etc... @@ -247,22 +248,67 @@ $IPTABLES -A INPUT -f -j DROP #------------------------------------------------------------------------------ # Allow incoming SSH requests. -$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT +#$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT + +# Allow incoming https server +#$IPTABLES -A INPUT -p tcp -m tcp --dport 443 --sport $PHIGH -m state --state NEW,ESTABLISHED -j ACCEPT + + +# Selectively allow certain outbound connections, block the rest. +#------------------------------------------------------------------------------ +# + +# Allow ping +$IPTABLES -A OUTPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +# Allow to ssh clients +$IPTABLES -A OUTPUT -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + +# Allow to dns +$IPTABLES -A OUTPUT -p udp -m udp --sport $PHIGH --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow irc +$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to xmmp +$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 5222 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +# Allow to rsync server +$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to pop3s server +$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to smtps server +$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to ntp server +$IPTABLES -A OUTPUT -p udp -m udp --sport $PHIGH --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to ftp server +$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to https server +$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +#$IPTABLES -A OUTPUT -p udp -m udp --sport $PHIGH --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to http server +$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT + +# Selectively allow certain outbound server connections, block the rest. +#------------------------------------------------------------------------------ + +# Allow from https server +#$IPTABLES -A OUTPUT -p tcp -m tcp --sport 443 --dport $PHIGH -m state --state ESTABLISHED -j ACCEPT + +# Allow from dns server +#$IPTABLES -A OUTPUT -p udp -m udp --sport 53 --dport $PHIGH -m state --state ESTABLISHED -j ACCEPT # Explicitly log and reject everything else. #------------------------------------------------------------------------------ # Use REJECT instead of REJECTLOG if you don't need/want logging. -$IPTABLES -A INPUT -j REJECTLOG -$IPTABLES -A OUTPUT -j REJECTLOG +$IPTABLES -A INPUT -j DROPLOG +$IPTABLES -A OUTPUT -j DROPLOG $IPTABLES -A FORWARD -j REJECTLOG # Counter hits -for i in $NIC_NAME -do - iptables -I INPUT -p tcp -m multiport --dports 22 -i $i -m state --state NEW -m recent --set - iptables -I INPUT -p tcp -m multiport --dports 22 -i $i -m state --state NEW -m recent --update --seconds 50 --hitcount 3 -j DROP -done +#for i in $NIC_NAME +#do +# iptables -I INPUT -p tcp -m multiport --dports 22 -i $i -m state --state NEW -m recent --set +# iptables -I INPUT -p tcp -m multiport --dports 22 -i $i -m state --state NEW -m recent --update --seconds 50 --hitcount 3 -j DROP +#done #------------------------------------------------------------------------------ # Testing the firewall. @@ -273,5 +319,4 @@ done # Exit gracefully. #------------------------------------------------------------------------------ - - exit 0 +exit 0 diff --git a/core/conf/iptables/rules.v4 b/core/conf/iptables/rules.v4 index 5a2ffe8..568455a 100644 --- a/core/conf/iptables/rules.v4 +++ b/core/conf/iptables/rules.v4 @@ -1,25 +1,25 @@ -# Generated by iptables-save v1.6.1 on Tue Feb 21 13:55:04 2017 +# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017 *security -:INPUT ACCEPT [3624:2121853] +:INPUT ACCEPT [4559:2307887] :FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [3590:999020] +:OUTPUT ACCEPT [4459:962215] COMMIT -# Completed on Tue Feb 21 13:55:04 2017 -# Generated by iptables-save v1.6.1 on Tue Feb 21 13:55:04 2017 +# Completed on Sat Feb 25 18:34:17 2017 +# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017 *raw -:PREROUTING ACCEPT [5432:2268406] -:OUTPUT ACCEPT [3623:1011362] +:PREROUTING ACCEPT [18446:3412851] +:OUTPUT ACCEPT [4467:962535] COMMIT -# Completed on Tue Feb 21 13:55:04 2017 -# Generated by iptables-save v1.6.1 on Tue Feb 21 13:55:04 2017 +# Completed on Sat Feb 25 18:34:17 2017 +# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017 *nat -:PREROUTING ACCEPT [1808:146553] -:INPUT ACCEPT [0:0] -:OUTPUT ACCEPT [322:28410] -:POSTROUTING ACCEPT [289:16068] +:PREROUTING ACCEPT [13936:1107904] +:INPUT ACCEPT [49:2940] +:OUTPUT ACCEPT [504:40037] +:POSTROUTING ACCEPT [504:40037] COMMIT -# Completed on Tue Feb 21 13:55:04 2017 -# Generated by iptables-save v1.6.1 on Tue Feb 21 13:55:04 2017 +# Completed on Sat Feb 25 18:34:17 2017 +# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017 *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] @@ -27,21 +27,18 @@ COMMIT :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT -# Completed on Tue Feb 21 13:55:04 2017 -# Generated by iptables-save v1.6.1 on Tue Feb 21 13:55:04 2017 +# Completed on Sat Feb 25 18:34:17 2017 +# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] -:OUTPUT ACCEPT [0:0] +:OUTPUT DROP [0:0] :ACCEPTLOG - [0:0] :DROPLOG - [0:0] :REJECTLOG - [0:0] :RELATED_ICMP - [0:0] :SYN_FLOOD - [0:0] --A INPUT -i wlp7s0 -p tcp -m multiport --dports 22 -m state --state NEW -m recent --update --seconds 50 --hitcount 3 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP --A INPUT -i wlp7s0 -p tcp -m multiport --dports 22 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource --A INPUT -i enp8s0 -p tcp -m multiport --dports 22 -m state --state NEW -m recent --update --seconds 50 --hitcount 3 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP --A INPUT -i enp8s0 -p tcp -m multiport --dports 22 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource +-A INPUT -i lo -j ACCEPT -A INPUT -p icmp -m limit --limit 1/sec --limit-burst 2 -j ACCEPT -A INPUT -p icmp -m limit --limit 1/sec --limit-burst 2 -j LOG --log-prefix "PING-DROP:" -A INPUT -p icmp -j DROP @@ -50,7 +47,6 @@ COMMIT -A INPUT -p icmp -m state --state RELATED -m limit --limit 3/sec --limit-burst 8 -j RELATED_ICMP -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 8 -j ACCEPT -A INPUT -p icmp -j DROPLOG --A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP -A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP @@ -68,31 +64,41 @@ COMMIT -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROPLOG -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROPLOG -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j SYN_FLOOD --A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7 --A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP --A INPUT -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: " --A INPUT -f -j DROP --A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT --A INPUT -j REJECTLOG +-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROPLOG +-A INPUT -f -j DROPLOG +-A INPUT -j DROPLOG -A FORWARD -p icmp -f -j DROPLOG -A FORWARD -p icmp -j DROPLOG -A FORWARD -m state --state INVALID -j DROP -A FORWARD -j REJECTLOG +-A OUTPUT -o lo -j ACCEPT -A OUTPUT -p icmp -j ACCEPT -A OUTPUT -p icmp -f -j DROPLOG -A OUTPUT -p icmp -m state --state ESTABLISHED -m limit --limit 3/sec --limit-burst 8 -j ACCEPT -A OUTPUT -p icmp -m state --state RELATED -m limit --limit 3/sec --limit-burst 8 -j RELATED_ICMP -A OUTPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 8 -j ACCEPT -A OUTPUT -p icmp -j DROPLOG --A OUTPUT -o lo -j ACCEPT -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m state --state INVALID -j DROP --A OUTPUT -j REJECTLOG --A ACCEPTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "ACCEPT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options +-A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 5222 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -j DROPLOG +-A ACCEPTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: ACCEPT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options -A ACCEPTLOG -j ACCEPT --A DROPLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "DROP " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options +-A DROPLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: DROP " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options -A DROPLOG -j DROP --A REJECTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "REJECT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options +-A REJECTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: REJECT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset -A REJECTLOG -j REJECT --reject-with icmp-port-unreachable -A RELATED_ICMP -p icmp -m icmp --icmp-type 3 -j ACCEPT @@ -102,4 +108,4 @@ COMMIT -A SYN_FLOOD -m limit --limit 2/sec --limit-burst 6 -j RETURN -A SYN_FLOOD -j DROP COMMIT -# Completed on Tue Feb 21 13:55:04 2017 +# Completed on Sat Feb 25 18:34:17 2017 diff --git a/core/conf/sysctl.conf b/core/conf/sysctl.conf index b60d3e6..d17c0c6 100644 --- a/core/conf/sysctl.conf +++ b/core/conf/sysctl.conf @@ -2,9 +2,13 @@ # /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5) # -kernel.printk = 15 1 1 4 -kernel.randomize_va_space = 1 -kernel.shmmax = 500000000 +kernel.printk = 7 1 1 4 +kernel.randomize_va_space = 2 +# Shared Memory +#kernel.shmmax = 500000000 +# Total allocated file handlers that can be allocated +# fs.file-nr= +vm.mmap_min_addr=65536 # Allow for more PIDs (to reduce rollover problems); may break some programs 32768 kernel.pid_max = 65536 @@ -16,14 +20,13 @@ kernel.pid_max = 65536 # Ioperm and iopl can be used to modify the running kernel. # Unfortunately, some programs need this access to operate properly, # the most notable of which are XFree86 and hwclock. hwclock can be -# remedied by having RTC support in the kernel, so real-time -# clock support is enabled if this option is enabled, to ensure +# remedied by having RTC support in the kernel, so real-time +# clock support is enabled if this option is enabled, to ensure # that hwclock operates correctly. -# +# # If you're using XFree86 or a version of Xorg from 2012 or earlier, # you may not be able to boot into a graphical environment with this # option enabled. In this case, you should use the RBAC system instead. -#kernel.grsecurity.disable_priv_io = 1 kernel.grsecurity.disable_priv_io = 0 # If you say Y here, attempts to bruteforce exploits against forking @@ -36,13 +39,13 @@ kernel.grsecurity.disable_priv_io = 0 # In the suid/sgid case, the attempt is logged, the user has all their # existing instances of the suid/sgid binary terminated and will # be unable to execute any suid/sgid binaries for 15 minutes. -# +# # It is recommended that you also enable signal logging in the auditing # section so that logs are generated when a process triggers a suspicious # signal. # If the sysctl option is enabled, a sysctl option with name # "deter_bruteforce" is created. -#kernel.grsecurity.deter_bruteforce = 1 +kernel.grsecurity.deter_bruteforce = 1 # # Filesystem Protections @@ -58,7 +61,7 @@ fs.file-max = 65535 # symlink is the owner of the directory. users will also not be # able to hardlink to files they do not own. If the sysctl option is # enabled, a sysctl option with name "linking_restrictions" is created. -kernel.grsecurity.linking_restrictions = 1 +kernel.grsecurity.linking_restrictions = 0 # Apache's SymlinksIfOwnerMatch option has an inherent race condition @@ -72,7 +75,7 @@ kernel.grsecurity.linking_restrictions = 1 # will be in place for the group you specify. If the sysctl option # is enabled, a sysctl option with name "enforce_symlinksifowner" is # created. -#kernel.grsecurity.enforce_symlinksifowner = 1 +kernel.grsecurity.enforce_symlinksifowner = 0 #kernel.grsecurity.symlinkown_gid = 33 # if you say Y here, users will not be able to write to FIFOs they don't @@ -80,7 +83,7 @@ kernel.grsecurity.linking_restrictions = 1 # the FIFO is the same owner of the directory it's held in. If the sysctl # option is enabled, a sysctl option with name "fifo_restrictions" is # created. -#kernel.grsecurity.fifo_restrictions = 1 +kernel.grsecurity.fifo_restrictions = 0 # If you say Y here, a sysctl option with name "romount_protect" will # be created. By setting this option to 1 at runtime, filesystems @@ -115,14 +118,14 @@ kernel.grsecurity.chroot_caps = 1 # against another published method of breaking a chroot. If the sysctl # option is enabled, a sysctl option with name "chroot_deny_chmod" is # created. -kernel.grsecurity.chroot_deny_chmod = 1 +kernel.grsecurity.chroot_deny_chmod = 1 # If you say Y here, processes inside a chroot will not be able to chroot # again outside the chroot. This is a widely used method of breaking -# out of a chroot jail and should not be allowed. If the sysctl -# option is enabled, a sysctl option with name +# out of a chroot jail and should not be allowed. If the sysctl +# option is enabled, a sysctl option with name # "chroot_deny_chroot" is created. -kernel.grsecurity.chroot_deny_chroot = 1 +kernel.grsecurity.chroot_deny_chroot = 1 # If you say Y here, a well-known method of breaking chroots by fchdir'ing # to a file descriptor of the chrooting process that points to a directory @@ -182,14 +185,14 @@ kernel.grsecurity.chroot_deny_unix = 1 # directory, so that `.' can be outside the tree rooted at # `/'. In particular, the super-user can escape from a # `chroot jail' by doing `mkdir foo; chroot foo; cd ..'. -# +# # It is recommended that you say Y here, since it's not known to break # any software. If the sysctl option is enabled, a sysctl option with # name "chroot_enforce_chdir" is created. kernel.grsecurity.chroot_enforce_chdir = 1 # If you say Y here, processes inside a chroot will not be able to -# kill, send signals with fcntl, ptrace, capget, getpgid, setpgid, +# kill, send signals with fcntl, ptrace, capget, getpgid, setpgid, # getsid, or view any process outside of the chroot. If the sysctl # option is enabled, a sysctl option with name "chroot_findtask" is # created. @@ -212,7 +215,7 @@ kernel.grsecurity.chroot_restrict_nice = 1 # watch certain users instead of having a large amount of logs from the # entire system. If the sysctl option is enabled, a sysctl option with # name "audit_group" is created. -kernel.grsecurity.audit_group = 0 +kernel.grsecurity.audit_group = 0 # If you say Y here, the exec and chdir logging features will only operate # on a group you specify. This option is recommended if you only want to @@ -228,67 +231,64 @@ kernel.grsecurity.audit_group = 0 # name "exec_logging" is created. # WARNING: This option when enabled will produce a LOT of logs, especially # on an active system. -kernel.grsecurity.exec_logging = 0 +kernel.grsecurity.exec_logging = 0 # If you say Y here, all attempts to overstep resource limits will # be logged with the resource name, the requested size, and the current # limit. It is highly recommended that you say Y here. If the sysctl # option is enabled, a sysctl option with name "resource_logging" is # created. If the RBAC system is enabled, the sysctl value is ignored. -#kernel.grsecurity.resource_logging = 1 -kernel.grsecurity.resource_logging = 0 +kernel.grsecurity.resource_logging = 1 # If you say Y here, all executions inside a chroot jail will be logged # to syslog. This can cause a large amount of logs if certain # applications (eg. djb's daemontools) are installed on the system, and # is therefore left as an option. If the sysctl option is enabled, a # sysctl option with name "chroot_execlog" is created. -kernel.grsecurity.chroot_execlog = 0 +kernel.grsecurity.chroot_execlog = 0 # If you say Y here, all attempts to attach to a process via ptrace # will be logged. If the sysctl option is enabled, a sysctl option # with name "audit_ptrace" is created. -#kernel.grsecurity.audit_ptrace = 1 -kernel.grsecurity.audit_ptrace = 0 +kernel.grsecurity.audit_ptrace = 1 # If you say Y here, all attempts to attach to a process via ptrace # will be logged. If the sysctl option is enabled, a sysctl option # with name "audit_ptrace" is created. -kernel.grsecurity.audit_chdir = 0 +kernel.grsecurity.audit_chdir = 0 # If you say Y here, all mounts and unmounts will be logged. If the # sysctl option is enabled, a sysctl option with name "audit_mount" is # created. -#kernel.grsecurity.audit_mount = 1 -kernel.grsecurity.audit_mount = 0 +kernel.grsecurity.audit_mount = 1 # If you say Y here, certain important signals will be logged, such as # SIGSEGV, which will as a result inform you of when a error in a program # occurred, which in some cases could mean a possible exploit attempt. # If the sysctl option is enabled, a sysctl option with name # "signal_logging" is created. -kernel.grsecurity.signal_logging = 0 +kernel.grsecurity.signal_logging = 1 # If you say Y here, all failed fork() attempts will be logged. # This could suggest a fork bomb, or someone attempting to overstep # their process limit. If the sysctl option is enabled, a sysctl option # with name "forkfail_logging" is created. #kernel.grsecurity.forkfail_logging = 1 -kernel.grsecurity.forkfail_logging = 0 +kernel.grsecurity.forkfail_logging = 1 # If you say Y here, any changes of the system clock will be logged. # If the sysctl option is enabled, a sysctl option with name # "timechange_logging" is created. -#kernel.grsecurity.timechange_logging = 1 +kernel.grsecurity.timechange_logging = 1 # if you say Y here, calls to mmap() and mprotect() with explicit # usage of PROT_WRITE and PROT_EXEC together will be logged when # denied by the PAX_MPROTECT feature. This feature will also # log other problematic scenarios that can occur when PAX_MPROTECT -# is enabled on a binary, like textrels and PT_GNU_STACK. If the +# is enabled on a binary, like textrels and PT_GNU_STACK. If the # sysctl option is enabled, a sysctl option with name "rwxmap_logging" # is created. -#kernel.grsecurity.rwxmap_logging = 1 +kernel.grsecurity.rwxmap_logging = 1 # # Executable Protections @@ -305,14 +305,14 @@ kernel.grsecurity.forkfail_logging = 0 kernel.grsecurity.dmesg = 1 # Hide symbol addresses in /proc/kallsyms -kernel.kptr_restrict = 1 +#kernel.kptr_restrict = 2 # If you say Y here, TTY sniffers and other malicious monitoring # programs implemented through ptrace will be defeated. If you # have been using the RBAC system, this option has already been # enabled for several years for all users, with the ability to make # fine-grained exceptions. -# +# # This option only affects the ability of non-root users to ptrace # processes that are not a descendent of the ptracing process. # This means that strace ./binary and gdb ./binary will still work, @@ -327,7 +327,7 @@ kernel.grsecurity.harden_ptrace = 1 # prevent infoleaking of their contents. This option adds # consistency to the use of that file mode, as the binary could normally # be read out when run without privileges while ptracing. -# +# # If the sysctl option is enabled, a sysctl option with name "ptrace_readexec" # is created. kernel.grsecurity.ptrace_readexec = 1 @@ -341,7 +341,7 @@ kernel.grsecurity.ptrace_readexec = 1 # same way, allowing the other threads of the process to continue # running with root privileges. If the sysctl option is enabled, # a sysctl option with name "consistent_setxid" is created. -#kernel.grsecurity.consistent_setxid = 1 +kernel.grsecurity.consistent_setxid = 0 # If you say Y here, access to overly-permissive IPC objects (shared # memory, message queues, and semaphores) will be denied for processes @@ -359,7 +359,7 @@ kernel.grsecurity.ptrace_readexec = 1 # CAP_IPC_OWNER are still permitted to access these IPC objects. # If the sysctl option is enabled, a sysctl option with name # "harden_ipc" is created. -kernel.grsecurity.harden_ipc = 1 +kernel.grsecurity.harden_ipc = 0 # If you say Y here, you will be able to choose a gid to add to the # supplementary groups of users you want to mark as "untrusted." @@ -367,7 +367,7 @@ kernel.grsecurity.harden_ipc = 1 # root-owned directories writable only by root. If the sysctl option # is enabled, a sysctl option with name "tpe" is created. kernel.grsecurity.tpe = 1 -kernel.grsecurity.tpe_gid = 101 +kernel.grsecurity.tpe_gid = 4 # If you say Y here, the group you specify in the TPE configuration will # decide what group TPE restrictions will be *disabled* for. This @@ -386,10 +386,11 @@ kernel.grsecurity.tpe_invert = 1 # world-writable, or in directories owned by root and writable only by # root. If the sysctl option is enabled, a sysctl option with name # "tpe_restrict_all" is created. -kernel.grsecurity.tpe_restrict_all = 0 +kernel.grsecurity.tpe_restrict_all = 1 + +kernel.grsecurity.harden_tty = 1 -#kernel.grsecurity.harden_tty = 1 # # Network Protections # @@ -418,7 +419,7 @@ net.ipv6.conf.lo.disable_ipv6 = 1 #net.ipv6.conf.default.dad_transmits = 0 #net.ipv6.conf.default.max_addresses = 0 -# Avoid a smurf attack +# Avoid a smurf attack, ping scanning net.ipv4.icmp_echo_ignore_broadcasts = 1 # Turn on protection for bad icmp error messages @@ -447,10 +448,6 @@ net.ipv4.conf.default.log_martians = 1 ## ignore echo broadcast requests to prevent being part of smurf attacks (default) net.ipv4.icmp_echo_ignore_broadcasts = 1 -# No source routed packets here -net.ipv4.conf.all.accept_source_route = 0 -net.ipv4.conf.default.accept_source_route = 0 - ## sets the kernels reverse path filtering mechanism to value 1(on) ## will do source validation of the packet's recieved from all the interfaces on the machine ## protects from attackers that are using ip spoofing methods to do harm @@ -459,16 +456,23 @@ net.ipv4.conf.default.rp_filter = 1 #net.ipv6.conf.default.rp_filter = 1 #net.ipv6.conf.all.rp_filter = 1 + # Make sure no one can alter the routing tables +# Act as a router, necessary for Access Point net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 +# No source routed packets here +# Discard packets with source routes, ip spoofing +net.ipv4.conf.all.accept_source_route = 0 +net.ipv4.conf.default.accept_source_route = 0 -# Act as a router, necessary for Access Point -net.ipv4.ip_forward = 1 -net.ipv4.conf.all.send_redirects = 1 -net.ipv4.conf.default.send_redirects = 1 + +net.ipv4.conf.all.send_redirects = 0 +net.ipv4.conf.default.send_redirects = 0 + +net.ipv4.ip_forward = 0 # Increase system IP port limits net.ipv4.ip_local_port_range = 2000 65000 @@ -477,15 +481,29 @@ net.ipv4.ip_local_port_range = 2000 65000 net.ipv4.tcp_rmem = 4096 87380 8388608 net.ipv4.tcp_wmem = 4096 87380 8388608 +# Disable proxy_arp +net.ipv4.conf.default.proxy_arp = 0 +net.ipv4.conf.all.proxy_arp = 0 + +# Disable bootp_relay +net.ipv4.conf.default.bootp_relay = 0 +net.ipv4.conf.all.bootp_relay = 0 + +# Decrease TCP fin timeout +net.ipv4.tcp_fin_timeout = 30 +# Decrease TCP keep alive time +net.ipv4.tcp_keepalive_time = 1800 +# Sen SynAck retries to 3 +net.ipv4.tcp_synack_retries = 3 # If you say Y here, neither TCP resets nor ICMP # destination-unreachable packets will be sent in response to packets # sent to ports for which no associated listening process exists. -# This feature supports both IPV4 and IPV6 and exempts the -# loopback interface from blackholing. Enabling this feature +# This feature supports both IPV4 and IPV6 and exempts the +# loopback interface from blackholing. Enabling this feature # makes a host more resilient to DoS attacks and reduces network # visibility against scanners. -# +# # The blackhole feature as-implemented is equivalent to the FreeBSD # blackhole feature, as it prevents RST responses to all packets, not # just SYNs. Under most application behavior this causes no @@ -498,7 +516,7 @@ net.ipv4.tcp_wmem = 4096 87380 8388608 # can spend in LAST_ACK state. If you're using haproxy and not # all servers it connects to have this option enabled, consider # disabling this feature on the haproxy host. -# +# # If the sysctl option is enabled, two sysctl options with names # "ip_blackhole" and "lastack_retries" will be created. # While "ip_blackhole" takes the standard zero/non-zero on/off @@ -506,14 +524,14 @@ net.ipv4.tcp_wmem = 4096 87380 8388608 # "tcp_retries1" and "tcp_retries2". The default value of 4 # prevents a socket from lasting more than 45 seconds in LAST_ACK # state. -#kernel.grsecurity.ip_blackhole = 1 -#kernel.grsecurity.lastack_retries = 4 +kernel.grsecurity.ip_blackhole = 1 +kernel.grsecurity.lastack_retries = 4 # If you say Y here, you will be able to choose a GID of whose users will # be unable to connect to other hosts from your machine or run server # applications from your machine. If the sysctl option is enabled, a # sysctl option with name "socket_all" is created. -#kernel.grsecurity.socket_all = 1 +kernel.grsecurity.socket_all = 0 # Here you can choose the GID to disable socket access for. Remember to # add the users you want socket access disabled for to the GID @@ -527,13 +545,13 @@ net.ipv4.tcp_wmem = 4096 87380 8388608 # you specify will have to use passive mode when initiating ftp transfers # from the shell on your machine. If the sysctl option is enabled, a # sysctl option with name "socket_client" is created. -#kernel.grsecurity.socket_client = 1 +kernel.grsecurity.socket_client = 1 # Here you can choose the GID to disable client socket access for. # Remember to add the users you want client socket access disabled for to # the GID specified here. If the sysctl option is enabled, a sysctl # option with name "socket_client_gid" is created. -#kernel.grsecurity.socket_client_gid = 203 +kernel.grsecurity.socket_client_gid = 15 # If you say Y here, you will be able to choose a GID of whose users will # be unable to connect to other hosts from your machine, but will be @@ -541,13 +559,13 @@ net.ipv4.tcp_wmem = 4096 87380 8388608 # you specify will have to use passive mode when initiating ftp transfers # from the shell on your machine. If the sysctl option is enabled, a # sysctl option with name "socket_client" is created. -#kernel.grsecurity.socket_server = 1 +kernel.grsecurity.socket_server = 1 # Here you can choose the GID to disable server socket access for. # Remember to add the users you want server socket access disabled for to # the GID specified here. If the sysctl option is enabled, a sysctl # option with name "socket_server_gid" is created. -#kernel.grsecurity.socket_server_gid = 204 +kernel.grsecurity.socket_server_gid = 99 # # Physical Protections @@ -559,17 +577,15 @@ net.ipv4.tcp_wmem = 4096 87380 8388608 # device insertion will be logged. This option is intended to be # used against custom USB devices designed to exploit vulnerabilities # in various USB device drivers. -# +# # For greatest effectiveness, this sysctl should be set after any # relevant init scripts. This option is safe to enable in distros # as each user can choose whether or not to toggle the sysctl. -#kernel.grsecurity.deny_new_usb = 0 +kernel.grsecurity.deny_new_usb = 0 # # Restrict grsec sysctl changes after this was set # -#kernel.grsecurity.grsec_lock = 1 - - +kernel.grsecurity.grsec_lock = 0 # End of file diff --git a/core/dash.html b/core/dash.html index ed6dbab..a926ce7 100644 --- a/core/dash.html +++ b/core/dash.html @@ -2,13 +2,13 @@ - 2.4.1. Dash + 2.5.1. Dash Core OS Index -

2.4.1. Dash

+

2.5.1. Dash

By default dash installed as /bin/sh, if not relink;

diff --git a/core/exim.html b/core/exim.html index c1fd494..e922789 100644 --- a/core/exim.html +++ b/core/exim.html @@ -2,24 +2,33 @@ - 2.5. Exim + 2.6. Exim Core OS Index -

2.5. Exim

+

2.6. Exim

-

2.5.1. Exim Configuration

+

2.6.1. Exim Configuration

Exim come with default configuration we will change to mach system settings /etc/exim/exim.conf.

-

2.5.2. Certificates

+ 
+        $ sudo prt-get depinst mailx
+
-

Create private key, this example issues a certificate to - core.privat-server.net, if you wish get a subdomain from - afraid.org - pointing to your public ip. -

+

2.6.2. Certificates

+ +

Exim creates a key for you if you just copy exim.conf and start daemon;

+ + 
+        # cp /home/silvino/data/git/c9/c9-doc/core/conf/exim/exim.conf /etc/exim/exim.conf
+        # sh /etc/rc.d/exim start
+        SSL certificate /etc/ssl/certs/exim.crt with key /etc/ssl/keys/exim.key for host c9.core created
+        #
+
+ +

Manually create a private key;

 	$ sudo mkdir /etc/ssl/keys
@@ -55,7 +64,7 @@
 	# chmod 644 /etc/ssl/certs/exim.cert
-

2.5.3. Aliases

+

2.6.3. Aliases

Exim come with default aliases we will change to mach system settings /etc/exim/aliases;

@@ -100,7 +109,7 @@ #### -

2.5.4. Smarthost

+

2.6.4. Smarthost

Tony Finch publish a nice configuration reference. @@ -124,7 +133,7 @@ # exim -bt bob@remote.com -

2.5. Fetchmail

+

2.6. Fetchmail

         $ prt-get depinst fetchmail
diff --git a/core/grsecurity.html b/core/grsecurity.html
new file mode 100644
index 0000000..cda9bfb
--- /dev/null
+++ b/core/grsecurity.html
@@ -0,0 +1,85 @@
+
+
+    
+        
+        Grsecurity
+    
+    
+
+        Tools Index
+
+        
Grsecurity

+
+        
Grsecurity utilities are installed and configured in
+        hardening, kernel witch grsecurity
+        patch is installed using 
+        linux port.

+
+
+        
Special Groups

+        
+        getent group tpe >/dev/null || groupadd -g 200 tpe
+        getent group audit >/dev/null || groupadd -g 201 audit
+        getent group socket-deny-all >/dev/null || groupadd -g 202 socket-deny-all
+        getent group socket-deny-client >/dev/null || groupadd -g 203 socket-deny-client
+        getent group socket-deny-server >/dev/null || groupadd -g 204 socket-deny-server
+        

+
+        
Pax

+        
+        
Grub uses nested functions and thus needs either PAX_EMUTRAMP enabled in the kernel and EMUTRAMP enabled on affected binaries, or if PAX_EMUTRAMP is not enabled in the kernel, needs MPROTECT disabled on affected binaries. Depending on the version of grub in use, some of the following files may not exist, but you should mark all those that exist. To add EMUTRAMP, use the '-CE' argument to paxctl. To remove MPROTECT, use '-Cm'.

+
+        /usr/bin/grub-script-check
+        /usr/sbin/grub-probe
+        /usr/sbin/grub-mkdevicemap
+
+        
Gradm

+
+        
Gradm is grsecurity access control lists administration utility. Gradm
+        have a 
+        learning mode
+        per-subject, per-role or system-wide. Learning mode gather information that
+        RBAC system supports, it reduces policy size, increase readability and enforces
+        that is configurable. Protected resources can be added to /etc/grsec/learn_cong
+        to learning system.

+
+        
Entering in learning mode;

+
+        
+        # gradm -F -L /etc/grsec/learning.log
+        

+
+        
To perform administrative tasks while system learning is running,
+        authenticate to admin role;

+
+        
+        # gradm -a admin
+        

+
+        
When learning system have gather sufficient data disable RBAC system;

+
+        
+        # gradm -D
+        

+
+        
Now that RBAC is disable data collected can be used to generate ACLs;

+
+        
+        # gradm -F -L /etc/grsec/learning.logs -O /etc/grset/policy
+        

+
+        
Start RBAC with policy;

+
+        
+        # gradm -E
+        

+
+        Tools Index
+        
This is part of the c9-doc Manual.
+        Copyright (C) 2017
+        c9 team.
+        See the file Gnu Free Documentation License
+        for copying conditions.

+
+    
+
diff --git a/core/hardening.html b/core/hardening.html
new file mode 100644
index 0000000..478c911
--- /dev/null
+++ b/core/hardening.html
@@ -0,0 +1,197 @@
+
+
+    
+        
+        Hardening
+    
+    
+
+        Tools Index
+
+        
Hardening

+
+        
Kernel in ports have upstream linux kernel and
+        grsecurity patch, it should break some functionality
+        for the user and pkgmk user if tpe protection is active.

+
+        
+        $ sudo prt-get depinst gradm paxtest paxd checksec lynis
+        

+
+        
Check grsecurity on how to setup
+        kernel, pax and gradm.

+
+        
Lynis tries to give system overall configuration, without
+        changing default profile run irrelevant tests. Create a lynis
+        profile by coping default one and run lynis;

+
+        
+        $ sudo cp /etc/lynis/default.prf /etc/lynis/custom.prf
+        $ sudo lynis configure settings color=yes
+        $ sudo lynis show settings
+        $ sudo lynis show profile
+        

+
+        
+        $ lynis audit system > lynis_report
+        $ mv /tmp/lynis.log .
+        $ mv /tmp/lynis-report.dat .
+        

+
+        
Add unnecessary tests to profile to have less noise.

+
+        
Rebuild Toolchain

+
+        
Add flags to pkgmk configuration and change specific ports that
+        don't build with hardening flags. More information about
+        arch security,
+        gentoo security,
+        gcc instrumentation-options
+        and glibc
+        configuring and compiling. Edit /etc/pkgmk.conf;

+
+        
+        export CPPFLAGS="-D_FORTIFY_SOURCE=2"
+        export CFLAGS="-O2 -march=native -mtune=native -fstack-protector-strong --param=ssp-buffer-size=4"
+        export CXXFLAGS="${CFLAGS}"
+        export LDFLAGS="-z relro"
+        

+
+        
Core

+
+        
Ports in core collection that need to be changed in order
+        to build with pkgmk harden configuration.

+
+        
Glibc

+
+        
+
+        
+        export CPPFLAGS=""
+        export CFLAGS="-O2 -march=native -mtune=native"
+        export CXXFLAGS="${CFLAGS}"
+        export LDFLAGS=""
+        

+
+        
+        ../$name-${version:0:4}/configure --prefix=/usr \
+                --libexecdir=/usr/lib \
+                --with-headers=$PKG/usr/include \
+                --enable-kernel=3.12 \
+                --enable-add-ons \
+                --enable-static-nss \
+                --disable-profile \
+                --disable-werror \
+                --without-gd \
+                --enable-obsolete-rpc \
+                --enable-multi-arch \
+                --enable-stackguard-randomization \
+                --enable-stack-protector=strong
+        

+
+        
Gcc

+
+        
+
+        
+        export CPPFLAGS=""
+        export CFLAGS="-O2 -march=native -mtune=native"
+        export CXXFLAGS="${CFLAGS}"
+        export LDFLAGS=""
+        

+
+        
libcap

+
+        
+
+        
bzip2

+
+        
+
+        
hdparm

+
+        
+
+        
Opt

+
+        
lsof

+
+        
+
+        
python

+
+        
+
+        
zip

+
+        
+
+        
glew

+
+        
+
+        
dmenu

+
+        
+
+        
Boost

+
+        
+
+        
+        export CPPFLAGS=""
+        export CFLAGS="-O2 -march=native -mtune=native"
+        export CXXFLAGS="${CFLAGS}"
+        export LDFLAGS=""
+        

+
+        
Contrib

+
+        
gsl

+
+        
+
+
+        Tools Index
+        
This is part of the c9-doc Manual.
+        Copyright (C) 2017
+        c9 team.
+        See the file Gnu Free Documentation License
+        for copying conditions.

+
+    
+
diff --git a/core/index.html b/core/index.html
index 6859376..97376f4 100644
--- a/core/index.html
+++ b/core/index.html
@@ -79,41 +79,46 @@
                     
  • 2.1.5. Sysctl
    • 
                 
             
-
-            
  • 2.2. Network
+            
  • 2.2. Hardening
+                
+            
    • 
+            
  • 2.3. Network
                 
             
    • 
 
-            
  • 2.3. Package Management
+            
  • 2.4. Package Management
                 
             
    • 
 
-            
  • 2.4. Terminals and shells
+            
  • 2.5. Terminals and shells
                 
             
    • 
-            
  • 2.5. Exim
+            
  • 2.6. Exim
                 
             
    • 
 
diff --git a/core/linux.html b/core/linux.html
index 903d9e2..888b916 100644
--- a/core/linux.html
+++ b/core/linux.html
@@ -164,9 +164,8 @@
 
         kernel.printk = 7 1 1 4
         kernel.randomize_va_space = 2
-        kernel.kptr_restrict = 2
         # Shared Memory
-        kernel.shmmax = 500000000
+        #kernel.shmmax = 500000000
         # Total allocated file handlers that can be allocated
         # fs.file-nr=
         vm.mmap_min_addr=65536
@@ -188,7 +187,6 @@
         #  If you're using XFree86 or a version of Xorg from 2012 or earlier,
         #  you may not be able to boot into a graphical environment with this
         #  option enabled.  In this case, you should use the RBAC system instead.
-        #kernel.grsecurity.disable_priv_io = 1
         kernel.grsecurity.disable_priv_io = 0
 
         #  If you say Y here, attempts to bruteforce exploits against forking
@@ -207,7 +205,7 @@
         #  signal.
         #  If the sysctl option is enabled, a sysctl option with name
         #  "deter_bruteforce" is created.
-        #kernel.grsecurity.deter_bruteforce = 1
+        kernel.grsecurity.deter_bruteforce = 1
 
         #
         # Filesystem Protections
@@ -223,7 +221,7 @@
         #  symlink is the owner of the directory. users will also not be
         #  able to hardlink to files they do not own.  If the sysctl option is
         #  enabled, a sysctl option with name "linking_restrictions" is created.
-        kernel.grsecurity.linking_restrictions = 1
+        kernel.grsecurity.linking_restrictions = 0
 
 
         #  Apache's SymlinksIfOwnerMatch option has an inherent race condition
@@ -237,7 +235,7 @@
         #  will be in place for the group you specify. If the sysctl option
         #  is enabled, a sysctl option with name "enforce_symlinksifowner" is
         #  created.
-        #kernel.grsecurity.enforce_symlinksifowner = 1
+        kernel.grsecurity.enforce_symlinksifowner = 0
         #kernel.grsecurity.symlinkown_gid = 33
 
         #  if you say Y here, users will not be able to write to FIFOs they don't
@@ -245,7 +243,7 @@
         #  the FIFO is the same owner of the directory it's held in.  If the sysctl
         #  option is enabled, a sysctl option with name "fifo_restrictions" is
         #  created.
-        #kernel.grsecurity.fifo_restrictions = 1
+        kernel.grsecurity.fifo_restrictions = 0
 
         #  If you say Y here, a sysctl option with name "romount_protect" will
         #  be created.  By setting this option to 1 at runtime, filesystems
@@ -280,14 +278,14 @@
         #  against another published method of breaking a chroot.  If the sysctl
         #  option is enabled, a sysctl option with name "chroot_deny_chmod" is
         #  created.
-        kernel.grsecurity.chroot_deny_chmod     = 1
+        kernel.grsecurity.chroot_deny_chmod = 1
 
         #  If you say Y here, processes inside a chroot will not be able to chroot
         #  again outside the chroot.  This is a widely used method of breaking
         #  out of a chroot jail and should not be allowed.  If the sysctl
         #  option is enabled, a sysctl option with name
         #  "chroot_deny_chroot" is created.
-        kernel.grsecurity.chroot_deny_chroot    = 1
+        kernel.grsecurity.chroot_deny_chroot = 1
 
         #  If you say Y here, a well-known method of breaking chroots by fchdir'ing
         #  to a file descriptor of the chrooting process that points to a directory
@@ -400,7 +398,7 @@
         #  limit.  It is highly recommended that you say Y here.  If the sysctl
         #  option is enabled, a sysctl option with name "resource_logging" is
         #  created.  If the RBAC system is enabled, the sysctl value is ignored.
-        #kernel.grsecurity.resource_logging = 1
+        kernel.grsecurity.resource_logging = 1
 
         #  If you say Y here, all executions inside a chroot jail will be logged
         #  to syslog.  This can cause a large amount of logs if certain
@@ -412,8 +410,7 @@
         #  If you say Y here, all attempts to attach to a process via ptrace
         #  will be logged.  If the sysctl option is enabled, a sysctl option
         #  with name "audit_ptrace" is created.
-        #kernel.grsecurity.audit_ptrace = 1
-        kernel.grsecurity.audit_ptrace = 0
+        kernel.grsecurity.audit_ptrace = 1
 
         #  If you say Y here, all attempts to attach to a process via ptrace
         #  will be logged.  If the sysctl option is enabled, a sysctl option
@@ -423,27 +420,26 @@
         #  If you say Y here, all mounts and unmounts will be logged.  If the
         #  sysctl option is enabled, a sysctl option with name "audit_mount" is
         #  created.
-        #kernel.grsecurity.audit_mount = 1
-        kernel.grsecurity.audit_mount = 0
+        kernel.grsecurity.audit_mount = 1
 
         #  If you say Y here, certain important signals will be logged, such as
         #  SIGSEGV, which will as a result inform you of when a error in a program
         #  occurred, which in some cases could mean a possible exploit attempt.
         #  If the sysctl option is enabled, a sysctl option with name
         #  "signal_logging" is created.
-        kernel.grsecurity.signal_logging = 0
+        kernel.grsecurity.signal_logging = 1
 
         #  If you say Y here, all failed fork() attempts will be logged.
         #  This could suggest a fork bomb, or someone attempting to overstep
         #  their process limit.  If the sysctl option is enabled, a sysctl option
         #  with name "forkfail_logging" is created.
         #kernel.grsecurity.forkfail_logging = 1
-        kernel.grsecurity.forkfail_logging = 0
+        kernel.grsecurity.forkfail_logging = 1
 
         #  If you say Y here, any changes of the system clock will be logged.
         #  If the sysctl option is enabled, a sysctl option with name
         #  "timechange_logging" is created.
-        #kernel.grsecurity.timechange_logging = 1
+        kernel.grsecurity.timechange_logging = 1
 
         #  if you say Y here, calls to mmap() and mprotect() with explicit
         #  usage of PROT_WRITE and PROT_EXEC together will be logged when
@@ -452,7 +448,7 @@
         #  is enabled on a binary, like textrels and PT_GNU_STACK.  If the
         #  sysctl option is enabled, a sysctl option with name "rwxmap_logging"
         #  is created.
-        #kernel.grsecurity.rwxmap_logging = 1
+        kernel.grsecurity.rwxmap_logging = 1
 
         #
         # Executable Protections
@@ -469,7 +465,7 @@
         kernel.grsecurity.dmesg = 1
 
         # Hide symbol addresses in /proc/kallsyms
-        kernel.kptr_restrict = 1
+        #kernel.kptr_restrict = 2
 
         #  If you say Y here, TTY sniffers and other malicious monitoring
         #  programs implemented through ptrace will be defeated.  If you
@@ -505,7 +501,7 @@
         #  same way, allowing the other threads of the process to continue
         #  running with root privileges.  If the sysctl option is enabled,
         #  a sysctl option with name "consistent_setxid" is created.
-        #kernel.grsecurity.consistent_setxid = 1
+        kernel.grsecurity.consistent_setxid = 0
 
         #  If you say Y here, access to overly-permissive IPC objects (shared
         #  memory, message queues, and semaphores) will be denied for processes
@@ -523,7 +519,7 @@
         #  CAP_IPC_OWNER are still permitted to access these IPC objects.
         #  If the sysctl option is enabled, a sysctl option with name
         #  "harden_ipc" is created.
-        kernel.grsecurity.harden_ipc = 1
+        kernel.grsecurity.harden_ipc = 0
 
         #  If you say Y here, you will be able to choose a gid to add to the
         #  supplementary groups of users you want to mark as "untrusted."
@@ -531,7 +527,7 @@
         #  root-owned directories writable only by root.  If the sysctl option
         #  is enabled, a sysctl option with name "tpe" is created.
         kernel.grsecurity.tpe = 1
-        kernel.grsecurity.tpe_gid = 101
+        kernel.grsecurity.tpe_gid = 4
 
         #  If you say Y here, the group you specify in the TPE configuration will
         #  decide what group TPE restrictions will be *disabled* for.  This
@@ -550,10 +546,11 @@
         #  world-writable, or in directories owned by root and writable only by
         #  root.  If the sysctl option is enabled, a sysctl option with name
         #  "tpe_restrict_all" is created.
-        kernel.grsecurity.tpe_restrict_all = 0
+        kernel.grsecurity.tpe_restrict_all = 1
 
 
-        #kernel.grsecurity.harden_tty = 1
+        kernel.grsecurity.harden_tty = 1
+
         #
         # Network Protections
         #
@@ -687,14 +684,14 @@
         #  "tcp_retries1" and "tcp_retries2".  The default value of 4
         #  prevents a socket from lasting more than 45 seconds in LAST_ACK
         #  state.
-        #kernel.grsecurity.ip_blackhole = 1
-        #kernel.grsecurity.lastack_retries = 4
+        kernel.grsecurity.ip_blackhole = 1
+        kernel.grsecurity.lastack_retries = 4
 
         #  If you say Y here, you will be able to choose a GID of whose users will
         #  be unable to connect to other hosts from your machine or run server
         #  applications from your machine.  If the sysctl option is enabled, a
         #  sysctl option with name "socket_all" is created.
-        #kernel.grsecurity.socket_all = 1
+        kernel.grsecurity.socket_all = 0
 
         #  Here you can choose the GID to disable socket access for. Remember to
         #  add the users you want socket access disabled for to the GID
@@ -708,13 +705,13 @@
         #  you specify will have to use passive mode when initiating ftp transfers
         #  from the shell on your machine.  If the sysctl option is enabled, a
         #  sysctl option with name "socket_client" is created.
-        #kernel.grsecurity.socket_client = 1
+        kernel.grsecurity.socket_client = 1
 
         #  Here you can choose the GID to disable client socket access for.
         #  Remember to add the users you want client socket access disabled for to
         #  the GID specified here.  If the sysctl option is enabled, a sysctl
         #  option with name "socket_client_gid" is created.
-        #kernel.grsecurity.socket_client_gid = 203
+        kernel.grsecurity.socket_client_gid = 15
 
         #  If you say Y here, you will be able to choose a GID of whose users will
         #  be unable to connect to other hosts from your machine, but will be
@@ -722,13 +719,13 @@
         #  you specify will have to use passive mode when initiating ftp transfers
         #  from the shell on your machine.  If the sysctl option is enabled, a
         #  sysctl option with name "socket_client" is created.
-        #kernel.grsecurity.socket_server = 1
+        kernel.grsecurity.socket_server = 1
 
         #  Here you can choose the GID to disable server socket access for.
         #  Remember to add the users you want server socket access disabled for to
         #  the GID specified here.  If the sysctl option is enabled, a sysctl
         #  option with name "socket_server_gid" is created.
-        #kernel.grsecurity.socket_server_gid = 204
+        kernel.grsecurity.socket_server_gid = 99
 
         #
         # Physical Protections
@@ -744,12 +741,12 @@
         #  For greatest effectiveness, this sysctl should be set after any
         #  relevant init scripts.  This option is safe to enable in distros
         #  as each user can choose whether or not to toggle the sysctl.
-        #kernel.grsecurity.deny_new_usb = 0
+        kernel.grsecurity.deny_new_usb = 0
 
         #
         # Restrict grsec sysctl changes after this was set
         #
-        #kernel.grsecurity.grsec_lock = 1
+        kernel.grsecurity.grsec_lock = 0
 
         # End of file
    @@ -757,10 +754,10 @@ Core OS Index

    This is part of the c9-doc Manual. -Copyright (C) 2017 -c9 team. -See the file Gnu Free Documentation License -for copying conditions.

    + Copyright (C) 2017 + c9 team. + See the file Gnu Free Documentation License + for copying conditions.

    diff --git a/core/network.html b/core/network.html index bcf52f5..4f1f20a 100644 --- a/core/network.html +++ b/core/network.html @@ -2,12 +2,12 @@ - 2. Network + 2.3. Network Core OS Index -

    2. Network

    +

    2.3. Network

    Operation of the network can be handle with init scripts;

    @@ -49,7 +49,7 @@ described scripts then proceed to update system.

    -

    2.2.1. Resolver

    +

    2.3.1. Resolver

    This example will use Chaos Computer Club @@ -65,7 +65,7 @@ # chattr +i /etc/resolv.conf -

    2.2.2. Static IP

    +

    2.3.2. Static IP

    Current example of /etc/rc.d/net;

    @@ -112,7 +112,7 @@ # ip route add default via ${GW} -

    2.2.3. Iptables

    +

    2.3.3. Iptables

    For more information about iptables read arch wiki. @@ -149,7 +149,7 @@

    -

    2.2.4. Wpa and dhcpd

    +

    2.3.4. Wpa and dhcpd

    There is more information on Wiki Wifi Start Scripts and @@ -167,7 +167,7 @@ # iwconfig wlp2s0 essid NAME key s:ABCDE12345 -

    2.2.4.1. Wpa Supplicant

    +

    2.3.4.1. Wpa Supplicant

    Configure wpa supplicant edit;

    @@ -197,7 +197,7 @@ init script to auto load wpa configuration and dhcp client.

    -

    2.2.4.2. Wpa Cli

    +

    2.3.4.2. Wpa Cli

             # wpa_cli
diff --git a/core/package.html b/core/package.html
index 3c59669..327029e 100644
--- a/core/package.html
+++ b/core/package.html
@@ -2,13 +2,13 @@
 
     
         
-        2.3. Package Management
+        2.4. Package Management
     
     
 
         Core OS Index
 
-        
    2.3. Package Management
    
+        
    2.4. Package Management
    
 
         
    For more information read crux handbook Package management
         front-end:
@@ -57,7 +57,7 @@
         $ prt-get depinst prt-utils prt-get-bashcompletion
    -

    2.3.1. Update System

    +

    2.4.1. Update System

    Before build software get latest version of port collections;

    @@ -87,7 +87,7 @@ $ prt-get update -fr $(revdep) -

    2.3.2. Install port and dependencies

    +

    2.4.2. Install port and dependencies

    Installing using prt-get tool;

    @@ -111,7 +111,7 @@

    If you user pkgmk and pkgadd allways check if README, pre and post instal files exist.

    -

    2.3.3. Ports collections

    +

    2.4.3. Ports collections

    Clone this documentation;

    @@ -146,7 +146,7 @@ $ sudo ports -u 6c37 -

    2.3.4. Show port information

    +

    2.4.4. Show port information

             $ prt-get info port_name
@@ -164,13 +164,13 @@
         $ pkginfo -o filename
    -

    2.3.5. Show port dependencies

    +

    2.4.5. Show port dependencies

             $ prt-get depends port_name
    -

    2.3.6. Print information

    +

    2.4.6. Print information

    Example how to get ports installed from contrib. Maybe there is a "cleaner" way to this, for now is ok;

    diff --git a/core/ports.html b/core/ports.html index 98ccbba..9662e43 100644 --- a/core/ports.html +++ b/core/ports.html @@ -23,8 +23,8 @@ # useradd -U -M -d /usr/ports -s /bin/false pkgmk -

    You can add your self to group pkgmk, Members of this group will - not be under tpe protection.

    +

    You can add your self to group pkgmk. Check if members of this + group are under tpe protection.

             # usermod -a -G pkgmk c9admin
@@ -62,7 +62,7 @@
         
    Edit fstab, change uid to id of pkgmk, this example 102;
    
 
         
    -        pkgmk /usr/ports/work tmpfs size=30G,uid=102,defaults 0 0
+        pkgmk /usr/ports/work tmpfs size=30G,uid=102,defaults,mode=0750 0 0
         
    
 
 
@@ -86,8 +86,6 @@
         export CFLAGS="-O2 -march=native -mtune=native"
    -

    "-protector-strong" which only insert stack canaries in fuctions where overflow might actually happen

    -

    Discover number of cores/cpus to hard code -j option.

    diff --git a/core/reboot.html b/core/reboot.html
index 7bc22ea..23e2996 100644
--- a/core/reboot.html
+++ b/core/reboot.html
@@ -33,13 +33,22 @@
 
         
    1.4.1. Linux Kernel
    
 
-        
    Core ports have two kernels, linux-libre and linux-blob.
+        
    Core ports have two
+        linux kernels,
+        linux-libre and
+        linux-blob.
         Port linux-libre kernel is a true source based kernel that
         respects your freedoms, is x86_64 but not generic configured,
         select modules (drivers) for your hardware, for example
         correct graphic driver and disk. Port linux-blob is dangerous,
         contain blobs (from bad corporations).
    
 
+        
    Addition to upstream kernel is applied a patch with
+        more cpu families gcc optimizations and grsecurity patch.
+        Check tpe protection configuration on
+        sysctl if breaks functionality
+        during initial configuration.
    
+
         
             # cd /usr/ports/c9-ports/linux-libre
         # pkgmk -d
diff --git a/core/scripts/setup-install.sh b/core/scripts/setup-install.sh
index 01e3bd1..0e0a720 100644
--- a/core/scripts/setup-install.sh
+++ b/core/scripts/setup-install.sh
@@ -270,7 +270,7 @@ setup_ports() {
         PATH=/bin:/usr/bin:/sbin:/usr/sbin \
         /bin/bash -c "id pkgmk >> /etc/fstab"
 
-    echo "pkgmk                                           /usr/ports/work tmpfs size=30G,gid=102,uid=101,defaults 0    0" >> $CHROOT/etc/fstab
+    echo "pkgmk                                           /usr/ports/work tmpfs size=30G,gid=102,uid=101,defaults,mode=0750 0    0" >> $CHROOT/etc/fstab
 
     vim $CHROOT/etc/fstab
 
diff --git a/core/tmux.html b/core/tmux.html
index d1ab587..fe494b5 100644
--- a/core/tmux.html
+++ b/core/tmux.html
@@ -2,13 +2,13 @@
 
     
         
-        2.4.3. Tmux
+        2.5.3. Tmux
     
 
     
 
         Core OS Index
-        
    2.4.3. Tmux
    
+        
    2.5.3. Tmux
    
 
         
    Install tmux, improves cli work efficiency;
    
 
@@ -79,7 +79,7 @@
         key	}	swap pane
         
    
 
-        
    2.4.3.1. Copy paste
    
+        
    2.5.3.1. Copy paste
    
 
         
    This instructions are valid if tmux.conf file discribed
         in this document is used;
    
diff --git a/core/tty-terminal.html b/core/tty-terminal.html
index 47f7bf0..1abf15e 100644
--- a/core/tty-terminal.html
+++ b/core/tty-terminal.html
@@ -2,13 +2,13 @@
 
     
         
-        2.4. Consoles, terminals and shells
+        2.5. Consoles, terminals and shells
     
     
 
         Core OS Index
 
-        
    2.4. Consoles, terminals and shells
    
+        
    2.5. Consoles, terminals and shells
    
 
         
    
             
    Consoles
    
diff --git a/tools/conf/etc/rc.d/dnscrypt-proxy b/tools/conf/etc/rc.d/dnscrypt-proxy
index 0874fa6..db8cd77 100755
--- a/tools/conf/etc/rc.d/dnscrypt-proxy
+++ b/tools/conf/etc/rc.d/dnscrypt-proxy
@@ -12,7 +12,7 @@
 # Authors: https://github.com/simonclausen/dnscrypt-autoinstall/graphs/contributors
 # Project site: https://github.com/simonclausen/dnscrypt-autoinstall
 
-USER=nobody
+USER=net
 PATH=/usr/sbin:/usr/bin:/sbin:/bin
 DAEMON=/usr/sbin/dnscrypt-proxy
 NAME=dnscrypt-proxy
@@ -24,7 +24,8 @@ PKEY1=3748:5585:E3B9:D088:FD25:AD36:B037:01F5:520C:D648:9E9A:DD52:1457:4955:9F0A
 case "$1" in
   start)
     echo "Starting $NAME"
-    $DAEMON --daemonize --ephemeral-keys --user=nobody --local-address=127.0.0.1:40 \
+    $DAEMON --daemonize --ephemeral-keys --user=nobody \
+	    --local-address=127.0.0.1:40 \
 	    --resolver-address=$ADDRESS3 \
 	    --provider-name=$PNAME1 \
 	    --provider-key=$PKEY3 \
diff --git a/tools/dnsmasq.html b/tools/dnsmasq.html
index 2aa7b82..720979b 100644
--- a/tools/dnsmasq.html
+++ b/tools/dnsmasq.html
@@ -14,6 +14,11 @@
         censorship there for respect your freedom and privacy.
         Read Tor Dns Resolver for more information.
    
 
+        
    +        $ sudo useradd -M -r -s /bin/false -g net net
+        
    
+
+
         
    1. Dnscrypt
    
 
         
    @@ -28,7 +33,7 @@
         nobody user. Basic usage example;
    
 
         
    -        $ sudo -u nobody  dnscrypt-proxy --daemonize --resolver-name=<resolver name>
+        $ sudo -u net  dnscrypt-proxy --daemonize --resolver-name=<resolver name>
         
    
 
         
    2. Dnsmasq
    
diff --git a/tools/gitolite.html b/tools/gitolite.html
index 94abda0..ab1ad3a 100644
--- a/tools/gitolite.html
+++ b/tools/gitolite.html
@@ -22,8 +22,7 @@
         
    Create user and home directory;
    
 
         
    -        # mkdir -p /srv/gitolite
-        # useradd -r -s /bin/bash -m -d /srv/gitolite gitolite
+        # useradd -r -s /bin/bash -U -m -d /srv/gitolite gitolite
         # chown gitolite:gitolite /srv/gitolite
         
    
 
diff --git a/tools/index.html b/tools/index.html
index da1cd40..2f84114 100644
--- a/tools/index.html
+++ b/tools/index.html
@@ -68,12 +68,6 @@
         
    System Administration
    
 
         
      
-            
    • Hardening
-                
-            
      • 
             
    • Network Tools
                 
        
                     
      • Dnscrypt and Dnsmasq
        • 
diff --git a/tools/mutt.html b/tools/mutt.html
index ef7cdbd..5c72e0c 100644
--- a/tools/mutt.html
+++ b/tools/mutt.html
@@ -162,7 +162,15 @@
 
         
        2.1. System Email
        
 
-        
        Content of .mutt/system;
        
+        
        Check and point enviroment mail variable to new local maildir;
        
+
+        
        +        $ echo "MAIL=$HOME/.mail/" >> ~/.bashrc
+        $ source ~/.bashrc
+        $ env | grep MAIL
+        
        
+
+        
        Content of .mutt/system;
        
 
         
                 color status green default
diff --git a/tools/qemu.html b/tools/qemu.html
index 1c58e49..c914d74 100644
--- a/tools/qemu.html
+++ b/tools/qemu.html
@@ -43,22 +43,17 @@
         this describes how to create a qcow2 type;
        
 
         
        -        $ qemu-img create -f qcow2 crux-img.qcow2 15G
+        $ qemu-img create -f qcow2 crux-img.qcow2 20G
         
        
 
-        
        You can mount disk image;
        
+        
        Qemu disk images can be treated as regular disks using
+        qemu disk network block device server;
        
 
         
                 $ sudo modprobe nbd
         $ sudo qemu-nbd -c /dev/nbd0 /crux-img.qcow2
         
        
 
-        
        To disconnect image disk (ndb);
        
-
-        
        -        $ sudo qemu-nbd -d /dev/nbd0
-        
        
-
         
        Information about preparing
         partitions
         and storage administration.
@@ -100,6 +95,13 @@
         # mount $BLK_VAR $CHROOT/var
         
        
 
+        
        Before disconnecting image, clean dev mappings;
        
+
+        
        +        $ sudo kpartx -d /dev/nbd0
+        $ sudo qemu-nbd -d /dev/nbd0
+        
        
+
         
        2. Network
        
 
         
        Network configuration;
        
diff --git a/tools/x.html b/tools/x.html
index e01aaca..ad5ea6d 100644
--- a/tools/x.html
+++ b/tools/x.html
@@ -40,6 +40,12 @@
         $ prt-get search xorg-font-bh | xargs sudo prt-get depinst
         
    
 
+        
    From 6c37 collection;
    
+
+        
    +        $ prt-get depinst otf-sourcecode
+        
    
+
         
    Configure
    
 
         
    Example of /etc/skel/.xinitrc;
    
@@ -170,24 +176,26 @@
 
         
    Window Managers
    
 
-        
    Dwm
    
 
         
    -        $ sudo prt-get depinst dmenu \
-            dwm \
-            spectrwm \
+        $ sudo prt-get depinst \
+            alsa-utils \
+            libdrm \
+            mesa3d \
+            ffmpeg \
+            gstreamer \
+            gstreamer-vaapi \
+            gst-plugins-base \
+            gst-plugins-good \
+            adwaita-icon-theme \
+            dmenu \
             st \
             conky \
             dillo \
-            adwaita-icon-theme \
+            spectrwm \
             gparted \
             gimp \
             libreoffice \
-            ffmpeg \
-            gstreamer \
-            gstreamer-vaapi \
-            gst-plugins-base \
-            gst-plugins-good \
             epiphany
         
    
 
-- 
cgit 1.4.1-2-gfad0


From 65167272a3ba52dc4d032a1c60a9ff030408047d Mon Sep 17 00:00:00 2001
From: Silvino Silva 
Date: Wed, 2 Aug 2017 01:01:58 +0100
Subject: first hardened test

---
 core/conf/pkgmk.conf                            |    9 +-
 core/conf/prt-get.conf                          |   19 +-
 core/conf/sysctl.conf                           |    2 +-
 core/network.html                               |    6 +
 core/scripts/act-chroot.sh                      |   18 +-
 core/scripts/setup-install.sh                   |  217 +---
 core/scripts/setup-target.sh                    |  229 +++-
 dev/c/index.html                                |   90 +-
 tools/conf/etc/fonts/local.conf                 | 1542 +++++++++++++++++++++++
 tools/conf/etc/iptables/iptables-br.sh          |  318 +++++
 tools/conf/etc/iptables/vlan.v4                 |  228 ++--
 tools/conf/etc/nginx/sites-enabled/default.conf |   86 +-
 tools/conf/etc/ssh/sshd_config                  |   30 +-
 tools/nginx.html                                |    8 +-
 tools/qemu.html                                 |   80 +-
 tools/scripts/pkgmk-test.conf                   |    8 +-
 tools/scripts/pkgmk-test.sh                     |    2 +-
 17 files changed, 2499 insertions(+), 393 deletions(-)
 mode change 100644 => 100755 core/scripts/setup-install.sh
 mode change 100644 => 100755 core/scripts/setup-target.sh
 create mode 100644 tools/conf/etc/fonts/local.conf
 create mode 100644 tools/conf/etc/iptables/iptables-br.sh

(limited to 'tools/qemu.html')

diff --git a/core/conf/pkgmk.conf b/core/conf/pkgmk.conf
index 4ef372e..6949fa7 100644
--- a/core/conf/pkgmk.conf
+++ b/core/conf/pkgmk.conf
@@ -2,9 +2,10 @@
 # /etc/pkgmk.conf: pkgmk(8) configuration
 #
 
-export CFLAGS="-O2 -march=native -mtune=native"
+export CPPFLAGS="-D_FORTIFY_SOURCE=2"
+export CFLAGS="-O2 -march=native -mtune=native -pipe -fPIC -fPIE -fstack-protector-strong --param=ssp-buffer-size=4 -fno-plt -fstack-check"
 export CXXFLAGS="${CFLAGS}"
-
+export LDFLAGS="-fPIE -pie -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now"
 export MAKEFLAGS="-j4"
 
 case ${PKGMK_ARCH} in
@@ -22,7 +23,9 @@ case ${PKGMK_ARCH} in
 		;;
 esac
 
-#PKGMK_SOURCE_MIRRORS=(http://crux.nu/distfiles/)
+PKGMK_SOURCE_MIRRORS=(https://crux.nu/distfiles/)
+#PKGMK_SOURCE_MIRRORS=(https://crux.ster.zone/distfiles/)
+#PKGMK_SOURCE_MIRRORS=(https://c9.root.sx/ports/distfiles/)
 PKGMK_SOURCE_DIR="/usr/ports/distfiles"
 PKGMK_PACKAGE_DIR="/usr/ports/packages"
 PKGMK_WORK_DIR="/usr/ports/work/$name"
diff --git a/core/conf/prt-get.conf b/core/conf/prt-get.conf
index 0504d3e..e210ca8 100644
--- a/core/conf/prt-get.conf
+++ b/core/conf/prt-get.conf
@@ -5,20 +5,19 @@
 # note: the order matters: the package found first is used
 prtdir /usr/ports/core
 prtdir /usr/ports/opt
+prtdir /usr/ports/contrib
+prtdir /usr/ports/c9-ports
 prtdir /usr/ports/xorg
 
+# 6c37 team provides a collection with freetype-iu, fontconfig-iu
+# and cairo-iu ports.
+
 # the following line enables the multilib compat-32 collection
 #prtdir /usr/ports/compat-32
 
 # the following line enables the user maintained contrib collection
-prtdir /usr/ports/contrib
-
-# ports described on this documentation
-#prtdir /usr/ports/c9-ports
-
-# 6c37 team provides a collection with freetype-iu, fontconfig-iu
-# and cairo-iu ports.
-#prtdir /usr/ports/6c37
+prtdir /usr/ports/6c37-dropin
+prtdir /usr/ports/6c37
 
 ### use mypackage form local directory
 # prtdir /home/packages/build:mypackage
@@ -38,7 +37,7 @@ logfile  /usr/ports/pkgbuild/%n-%v-%r.log
 readme verbose           # (verbose|compact|disabled)
 
 ### prefer higher versions in sysup / diff
-#preferhigher yes      # (yes|no)
+preferhigher no     # (yes|no)
 
 ### use regexp search
 # useregex no        # (yes|no)
@@ -51,7 +50,7 @@ runscripts yes            # (no|yes)
 ### EXPERT SECTION ###
 
 ### alternative commands
-makecommand      sudo -H -u pkgmk -g pkgmk fakeroot pkgmk
+makecommand      sudo -H -u pkgmk -g users fakeroot pkgmk
 addcommand       sudo pkgadd
 removecommand    sudo pkgrm
 runscriptcommand sudo sh
diff --git a/core/conf/sysctl.conf b/core/conf/sysctl.conf
index c421e59..4606791 100644
--- a/core/conf/sysctl.conf
+++ b/core/conf/sysctl.conf
@@ -374,7 +374,7 @@ kernel.grsecurity.tpe_gid = 100
 #  users on the system.  If the sysctl option is enabled, a sysctl option
 #  with name "tpe_invert" is created.  Unlike other sysctl options, this
 #  entry will default to on for backward-compatibility.
-kernel.grsecurity.tpe_invert = 1
+kernel.grsecurity.tpe_invert = 0
 
 #  If you say Y here, all non-root users will be covered under
 #  a weaker TPE restriction.  This is separate from, and in addition to,
diff --git a/core/network.html b/core/network.html
index 4f1f20a..92f0e1e 100644
--- a/core/network.html
+++ b/core/network.html
@@ -138,6 +138,12 @@
         # sh /etc/rc.d/iptables start
    +

    See current rules and packets;

    + + 
    +        # iptables -L -n -v | less
+
    +

    Copy init script, edit if you dont like to let drop when you call stop.

    diff --git a/core/scripts/act-chroot.sh b/core/scripts/act-chroot.sh index f8ae571..5411bc5 100644 --- a/core/scripts/act-chroot.sh +++ b/core/scripts/act-chroot.sh @@ -21,15 +21,15 @@ BLK_HOME="${DEV}8" #read CHROOT CHROOT="/mnt" -mount $BLK_ROOT $CHROOT - -mount $BLK_BOOT $CHROOT/boot -mount $BLK_EFI $CHROOT/boot/efi - -mount $BLK_VAR $CHROOT/var -mount $BLK_USR $CHROOT/usr -mount $BLK_PRT $CHROOT/usr/ports -mount $BLK_HOME $CHROOT/home +#mount $BLK_ROOT $CHROOT +# +#mount $BLK_BOOT $CHROOT/boot +#mount $BLK_EFI $CHROOT/boot/efi +# +#mount $BLK_VAR $CHROOT/var +#mount $BLK_USR $CHROOT/usr +#mount $BLK_PRT $CHROOT/usr/ports +#mount $BLK_HOME $CHROOT/home #mount -vt devpts devpts $CHROOT/dev/pts #mount -vt tmpfs shm $CHROOT/dev/shm diff --git a/core/scripts/setup-install.sh b/core/scripts/setup-install.sh old mode 100644 new mode 100755 index 0e0a720..c1d2765 --- a/core/scripts/setup-install.sh +++ b/core/scripts/setup-install.sh @@ -1,24 +1,9 @@ -#!/bin/sh +#!/bin/bash # Set Global Vars ADMIN_USER=c9admin DEV=$1 - -CHROOT="/mnt" -##read BLK_EFI -BLK_EFI="${DEV}2" -##read BLK_BOOT -BLK_BOOT="${DEV}3" -##read BLK_ROOT -BLK_ROOT="${DEV}4" -##read BLK_VAR -BLK_VAR="${DEV}5" -##read BLK_USR -BLK_USR="${DEV}6" -##read BLK_SWP -BLK_SWP="${DEV}7" -##read BLK_HOME -BLK_HOME="${DEV}8" +CHROOT=$2 # Absolute path to this script, # e.g. /home/user/c9-doc/core/scripts/foo.sh @@ -57,133 +42,37 @@ ConfirmOrExit () } -setup_target () { - echo "1.1.2 Creating File System on $BLK_EFI with fat32:" - mkfs.fat -F 32 $BLK_EFI - echo "1.1.2 Creating File System on $BLK_BOOT with ext4:" - mkfs.ext4 $BLK_BOOT - echo "1.1.2 Creating File System on $BLK_ROOT with ext4:" - mkfs.ext4 $BLK_ROOT - echo "1.1.2 Creating File System on $BLK_VAR with ext4:" - mkfs.ext4 $BLK_VAR - echo "1.1.2 Creating File System on $BLK_USR with ext4:" - mkfs.ext4 $BLK_USR - echo "1.1.2 Creating Swap File System on $BLK_SWP:" - mkswap $BLK_SWP - echo "1.1.2 Creating File System on $BLK_HOME with ext4:" - mkfs.ext4 $BLK_HOME - - echo "1.1.3 mount point to chroot (/mnt):\n" - mount $BLK_ROOT $CHROOT - - mkdir -p $CHROOT/boot - mount $BLK_BOOT $CHROOT/boot - mkdir -p $CHROOT/boot/efi - mount $BLK_EFI $CHROOT/boot/efi - mkdir -p $CHROOT/var - mount $BLK_VAR $CHROOT/var - mkdir -p $CHROOT/usr - mount $BLK_USR $CHROOT/usr - mkdir -p $CHROOT/home - mount $BLK_HOME $CHROOT/home - - - mkdir -p $CHROOT/dev - mkdir -p $CHROOT/tmp - mkdir -p $CHROOT/proc - mkdir -p $CHROOT/sys - - mkdir -p $CHROOT/var/lib/pkg - mkdir -p $CHROOT/usr/ports - - mkdir -p $CHROOT/media - - mount --bind /dev $CHROOT/dev - mount -vt devpts devpts $CHROOT/dev/pts - mount -vt tmpfs shm $CHROOT/dev/shm - mount -vt proc proc $CHROOT/proc - mount -vt sysfs sysfs $CHROOT/sys - - modprobe isofs - modprobe loop - mount -o loop $ISO_FILE $CHROOT/media -} - -install_packages() { +install_core() { echo "1.1.4 Create core.lst and install pkgadd" - for p in $CHROOT/media/crux/core/*; do echo $p >> $CHROOT/core.lst; done + for p in ${CHROOT}mnt/media/crux/core/*; do echo $p >> ${CHROOT}core.lst; done - tar xf "$CHROOT/media/crux/core/pkgutils#5.40-1.pkg.tar.xz" usr/bin/pkgadd -O > $CHROOT/pkgadd + tar xf "${CHROOT}mnt/media/crux/core/pkgutils#5.40-1.pkg.tar.xz" usr/bin/pkgadd -O > ${CHROOT}pkgadd - chmod +x $CHROOT/pkgadd + chmod +x ${CHROOT}pkgadd echo "1.1.4 File core.lst complete, review list of packages before continue..." read PAUSE - vim $CHROOT/core.lst + vim ${CHROOT}core.lst echo "1.1.4 Starting install" - touch $CHROOT/var/lib/pkg/db + touch ${CHROOT}/var/lib/pkg/db cd $CHROOT while read line; do echo "Installing $line;\n" - $CHROOT/pkgadd -f -r $CHROOT $line - done < core.lst + ${CHROOT}pkgadd -u -f -r ${CHROOT} ${line} + done < ${CHROOT}core.lst - rm $CHROOT/pkgadd - rm $CHROOT/core.lst + rm ${CHROOT}pkgadd + rm ${CHROOT}core.lst - echo "1.1.5. Install extra packages;" - - mkdir $CHROOT/usr/ports/packages - cp $CHROOT/media/crux/core/* $CHROOT/usr/ports/packages - cp $CHROOT/media/crux/opt/* $CHROOT/usr/ports/packages - cp $CHROOT/media/crux/xorg/* $CHROOT/usr/ports/packages + mkdir ${CHROOT}usr/ports/packages + cp ${CHROOT}media/crux/core/* ${CHROOT}usr/ports/packages - echo "Installing $CHROOT/usr/ports/packages/fakeroot" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/fakeroot#* - echo "Installing $CHROOT/usr/ports/packages/dbus" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/dbus#* - echo "Installing $CHROOT/usr/ports/packages/expat" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/expat#* - echo "Installing $CHROOT/usr/ports/packages/libnl" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/libnl#* - echo "Installing $CHROOT/usr/ports/packages/libpng" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/libpng#* - echo "Installing $CHROOT/usr/ports/packages/freetype" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/freetype#* - echo "Installing $CHROOT/usr/ports/packages/libffi" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/libffi#* - echo "Installing $CHROOT/usr/ports/packages/sqlite3" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/sqlite3#* - echo "Installing $CHROOT/usr/ports/packages/python" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/python#* - echo "Installing $CHROOT/usr/ports/packages/glib" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/glib#* - echo "Installing $CHROOT/usr/ports/packages/grub2" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/grub2#* - echo "Installing $CHROOT/usr/ports/packages/grub2-efi" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/grub2-efi#* - echo "Installing $CHROOT/usr/ports/packages/wireless-tools" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/wireless-tools#* - echo "Installing $CHROOT/usr/ports/packages/wpa_supplicant" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/wpa_supplicant#* - echo "Installing $CHROOT/usr/ports/packages/lvm2" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/lvm2#* - echo "Installing $CHROOT/usr/ports/packages/mdadm" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/mdadm#* - echo "Installing $CHROOT/usr/ports/packages/efivar" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/efivar#* - echo "Installing $CHROOT/usr/ports/packages/efibootmgr" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/efibootmgr#* - echo "Installing $CHROOT/usr/ports/packages/dosfstools" - $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/dosfstools#* - - echo "1.1.6. Install extra ports;\n" +} - mkdir $CHROOT/usr/ports/c9-ports - cp -r $DIR_PRT/* $CHROOT/usr/ports/c9-ports/ +setup_core() { echo "1.1.7. dns resolver, copy resolv.conf;\n" cp /etc/resolv.conf $CHROOT/etc @@ -193,9 +82,6 @@ install_packages() { echo "1.1.9. Install Skeletons\n" cp -r $DIR_CONF/skel $CHROOT/etc/ -} - -host_metadata() { echo "1.2.1. Set hostname and hosts;" cp $DIR_CONF/hosts $CHROOT/etc/ @@ -229,9 +115,6 @@ host_metadata() { cp $DIR_CONF/rc.conf $CHROOT/etc/ vim $CHROOT/etc/rc.conf -} - -setup_ports() { echo "1.3.1. Build as unprivileged user;" chroot $CHROOT /usr/bin/env -i \ @@ -284,18 +167,59 @@ setup_ports() { #vim $CHROOT/etc/prt-get.conf } -echo "SCRIPT=$SCRIPT"; -echo "SCRIPTPATH=$SCRIPTPATH"; +install_packages() { -echo "Device: $DEV\n" + echo "1.1.5. Install extra packages;" + cp $CHROOT/media/crux/opt/* $CHROOT/usr/ports/packages + cp $CHROOT/media/crux/xorg/* $CHROOT/usr/ports/packages -echo "1.1.2 EFI block; ($BLK_EFI)" -echo "1.1.2 boot block; ($BLK_BOOT)" -echo "1.1.2 root block; ($BLK_ROOT)" -echo "1.1.2 var block; ($BLK_VAR)" -echo "1.1.2 usr block; ($BLK_USR)" -echo "1.1.2 swap block; ($BLK_SWP)" -echo "1.1.2 home block; ($BLK_HOME)\n" + echo "Installing $CHROOT/usr/ports/packages/fakeroot" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/fakeroot#* + echo "Installing $CHROOT/usr/ports/packages/dbus" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/dbus#* + echo "Installing $CHROOT/usr/ports/packages/expat" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/expat#* + echo "Installing $CHROOT/usr/ports/packages/libnl" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/libnl#* + echo "Installing $CHROOT/usr/ports/packages/libpng" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/libpng#* + echo "Installing $CHROOT/usr/ports/packages/freetype" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/freetype#* + echo "Installing $CHROOT/usr/ports/packages/libffi" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/libffi#* + echo "Installing $CHROOT/usr/ports/packages/sqlite3" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/sqlite3#* + echo "Installing $CHROOT/usr/ports/packages/python" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/python#* + echo "Installing $CHROOT/usr/ports/packages/glib" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/glib#* + echo "Installing $CHROOT/usr/ports/packages/grub2" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/grub2#* + echo "Installing $CHROOT/usr/ports/packages/grub2-efi" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/grub2-efi#* + echo "Installing $CHROOT/usr/ports/packages/wireless-tools" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/wireless-tools#* + echo "Installing $CHROOT/usr/ports/packages/wpa_supplicant" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/wpa_supplicant#* + echo "Installing $CHROOT/usr/ports/packages/lvm2" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/lvm2#* + echo "Installing $CHROOT/usr/ports/packages/mdadm" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/mdadm#* + echo "Installing $CHROOT/usr/ports/packages/efivar" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/efivar#* + echo "Installing $CHROOT/usr/ports/packages/efibootmgr" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/efibootmgr#* + echo "Installing $CHROOT/usr/ports/packages/dosfstools" + $CHROOT/usr/bin/pkgadd -f -r $CHROOT $CHROOT/usr/ports/packages/dosfstools#* + + echo "1.1.6. Install extra ports;\n" + + mkdir $CHROOT/usr/ports/c9-ports + cp -r $DIR_PRT/* $CHROOT/usr/ports/c9-ports/ + +} +echo "SCRIPT=$SCRIPT"; +echo "SCRIPTPATH=$SCRIPTPATH"; echo "ADMIN_USER="$ADMIN_USER"\n" echo "CHROOT=$CHROOT"; @@ -307,9 +231,8 @@ echo "ISO_FILE=$ISO_FILE"; ConfirmOrExit echo "press enter to continue" read -setup_target -install_packages -host_metadata -setup_ports +install_core +#setup_core +#install_packages echo "Ready to chroot $CHROOT /bin/bash \n" diff --git a/core/scripts/setup-target.sh b/core/scripts/setup-target.sh old mode 100644 new mode 100755 index 6931fe9..d46d4bb --- a/core/scripts/setup-target.sh +++ b/core/scripts/setup-target.sh @@ -1,5 +1,36 @@ #!/bin/sh +DEV=/dev + +SETUP_TARGET="print" +CHROOT="/mnt" + +# Absolute path to this script, e.g. /home/user/bin/foo.sh +SCRIPT=$(readlink -f "$0") +# Absolute path this script is in, thus /home/user/bin +SCRIPTPATH=$(dirname "$SCRIPT") + +DIR=$(dirname "$SCRIPTPATH"); +DIR_LOCAL="$(dirname $(dirname ${DIR}))/local"; + +ISO_FILE="${DIR_LOCAL}/crux-3.3.iso" + +##read BLK_EFI +BLK_EFI="${DEV}2" +##read BLK_BOOT +BLK_BOOT="${DEV}3" +##read BLK_ROOT +BLK_ROOT="${DEV}4" +##read BLK_VAR +BLK_VAR="${DEV}5" +##read BLK_USR +BLK_USR="${DEV}6" +##read BLK_SWP +BLK_SWP="${DEV}7" +##read BLK_HOME +BLK_HOME="${DEV}8" + + # First we define the function ConfirmOrExit () { @@ -19,31 +50,173 @@ ConfirmOrExit () echo "You entered $CONFIRM. Continuing ..." } -DEV=$1 - -echo "Device: $DEV\n" -ConfirmOrExit - -parted --script $DEV \ - mklabel gpt \ - unit mib \ - mkpart primary 1 3 \ - name 1 grub \ - set 1 bios_grub on \ - mkpart ESP fat32 3 125 \ - name 2 efi \ - set 2 boot on \ - mkpart primary ext4 125 1128 \ - name 3 boot \ - mkpart primary ext4 1128 5128 \ - name 4 root \ - mkpart primary ext4 5128 6128 \ - name 5 var \ - mkpart primary ext4 6128 14128 \ - name 6 usr \ - mkpart primary linux-swap 14128 18128 \ - name 7 swap \ - mkpart primary ext4 18128 100% \ - name 8 home - -exit 0; + +partition_target () { + + parted --script $DEV \ + mklabel gpt \ + unit mib \ + mkpart primary 1 3 \ + name 1 grub \ + set 1 bios_grub on \ + mkpart ESP fat32 3 125 \ + name 2 efi \ + set 2 boot on \ + mkpart primary ext4 125 1128 \ + name 3 boot \ + mkpart primary ext4 1128 5128 \ + name 4 root \ + mkpart primary ext4 5128 6128 \ + name 5 var \ + mkpart primary ext4 6128 14128 \ + name 6 usr \ + mkpart primary linux-swap 14128 18128 \ + name 7 swap \ + mkpart primary ext4 18128 100% \ + name 8 home +} + +mount_target () { + echo "1.1.2 Creating File System on $BLK_EFI with fat32:" + mkfs.fat -F 32 $BLK_EFI + echo "1.1.2 Creating File System on $BLK_BOOT with ext4:" + mkfs.ext4 $BLK_BOOT + echo "1.1.2 Creating File System on $BLK_ROOT with ext4:" + mkfs.ext4 $BLK_ROOT + echo "1.1.2 Creating File System on $BLK_VAR with ext4:" + mkfs.ext4 $BLK_VAR + echo "1.1.2 Creating File System on $BLK_USR with ext4:" + mkfs.ext4 $BLK_USR + echo "1.1.2 Creating Swap File System on $BLK_SWP:" + mkswap $BLK_SWP + echo "1.1.2 Creating File System on $BLK_HOME with ext4:" + mkfs.ext4 $BLK_HOME + + echo "1.1.3 mount point to chroot (/mnt):\n" + mount $BLK_ROOT $CHROOT + + mkdir -p $CHROOT/boot + mount $BLK_BOOT $CHROOT/boot + + mkdir -p $CHROOT/boot/efi + mount $BLK_EFI $CHROOT/boot/efi + + mkdir -p $CHROOT/var + mount $BLK_VAR $CHROOT/var + + mkdir -p $CHROOT/usr + mount $BLK_USR $CHROOT/usr + + mkdir -p $CHROOT/home + mount $BLK_HOME $CHROOT/home + + mkdir -p $CHROOT/var/lib/pkg + mkdir -p $CHROOT/usr/ports + + mkdir -p $CHROOT/media + + mkdir -p $CHROOT/dev + mkdir -p $CHROOT/tmp + mkdir -p $CHROOT/proc + mkdir -p $CHROOT/sys + +} + +directory_target () { + + mkdir -p $CHROOT/home + mkdir -p $CHROOT/boot/efi + mkdir -p $CHROOT/var/lib/pkg + mkdir -p $CHROOT/usr/ports + + mkdir -p $CHROOT/media + + mkdir -p $CHROOT/dev + mkdir -p $CHROOT/tmp + mkdir -p $CHROOT/proc + mkdir -p $CHROOT/sys + +} + + +enable_target () { + + mount --bind /dev $CHROOT/dev + mount -vt devpts devpts $CHROOT/dev/pts + mount -vt tmpfs shm $CHROOT/dev/shm + mount -vt proc proc $CHROOT/proc + mount -vt sysfs sysfs $CHROOT/sys + + modprobe isofs + modprobe loop + mount -o loop $ISO_FILE $CHROOT/media +} + +print_target() { + echo "Device: $DEV" + echo "CHROOT: $CHROOT" + echo "ISO_FILE: $ISO_FILE" + echo "Option Selected: $SETUP_TARGET\n" + + echo "1.1.2 EFI block; ($BLK_EFI)" + echo "1.1.2 boot block; ($BLK_BOOT)" + echo "1.1.2 root block; ($BLK_ROOT)" + echo "1.1.2 var block; ($BLK_VAR)" + echo "1.1.2 usr block; ($BLK_USR)" + echo "1.1.2 swap block; ($BLK_SWP)" + echo "1.1.2 home block; ($BLK_HOME)\n" + + +} + +print_help() { + echo "usage: setup_target [options]" + echo "options:" + echo " -p, --partition create partitions and file systems" + echo " -m, --mount mount partitions on chroot" + echo " -d, --directory keep temporary working directory" + echo " -e, --enable enable chroot (proc,dev, sys...)" + echo " -v, --view view environment vars and exit" + echo " -h, --help print help and exit" +} + + +while [ "$1" ]; do + case $1 in + -p|--partition) + SETUP_TARGET="partition" + print_target + ConfirmOrExit + partition_target + exit 0 ;; + -m|--mount) + SETUP_TARGET="mount" + print_target + ConfirmOrExit + mount_target + exit 0 ;; + -d|--directory) + SETUP_TARGET="directory" + print_target + ConfirmOrExit + directory_target + exit 0 ;; + -e|--enable) + SETUP_TARGET="enable" + print_target + ConfirmOrExit + enable_target + exit 0 ;; + -v|--view) + SETUP_TARGET="view" + print_target + exit 0 ;; + -h|--help) + print_help + exit 0 ;; + *) + echo "setup-target: invalid option $1" + exit 1 ;; + esac + shift +done diff --git a/dev/c/index.html b/dev/c/index.html index 09374c6..684c7d2 100644 --- a/dev/c/index.html +++ b/dev/c/index.html @@ -7,6 +7,92 @@ Development Index +

    System Development

    + +

    System development requires debug kernel know how, + in this example will be used qemu and gdb. A simple init + program is created. Create init.S;

    + + 
    +	.global _start
+	_start:
+	    mov $1, %rax
+	    mov $1, %rdi
+	    mov $message, %rsi
+	    mov $message_len, %rdx
+	    syscall
+	    jmp .
+	    message: .ascii "FOOBAR FOOBAR FOOBAR FOOBAR FOOBAR FOOBAR FOOBAR\n"
+	    .equ message_len, . - message
+
    + +

    Assemble, link and create simple initial ram disk;

    + + 
    +	mkdir d
+	as --64 -o init.o init.S # assemble
+	ld -o d/init init.o      # link
+	cd d
+	find . | cpio -o -H newc | gzip > ../rootfs.cpio.gz
+
    + +

    Clean temporary directory;

    + + 
    +	cd ..
+	rm -r d/
+
    + +

    Can be used C to create init program;

    + + 
    +	#include <stdio.h>
+	#include <unistd.h>
+
+	int main() {
+	    printf("FOOBAR FOOBAR FOOBAR FOOBAR FOOBAR FOOBAR FOOBAR\n");
+	    sleep(0xFFFFFFFF);
+	    return 0;
+	}
+
    + + 
    +	$ gcc -static init.c -o init
+
    + +

    Test qemu, kernel and simple init program, you should see + "FOOBAR FOOBAR FOOBAR FOOBAR FOOBAR FOOBAR FOOBAR";

    + + 
    +	$ qemu-system-x86_64 -enable-kvm --kernel arch/x86_64/boot/bzImage \
+    	--initrd rootfs.cpio.gz
+
    + +

    If everything goes well you can start qemu without start CPU at + startup (-S) and with gdb server on TCP port 1234 (-s).

    + + 
    +	$ qemu-system-x86_64 -enable-kvm --kernel arch/x86/boot/bzImage \
+                --initrd rootfs.cpio.gz \
+		-S -s
+
    + +

    On another terminal start gdb;

    + + 
    +	gdb \
+	    -ex "add-auto-load-safe-path $(pwd)" \
+	    -ex "file vmlinux" \
+	    -ex 'set arch i386:x86-64:intel' \
+	    -ex 'target remote localhost:1234' \
+	    -ex 'break start_kernel' \
+	    -ex 'continue' \
+	    -ex 'disconnect' \
+	    -ex 'set arch i386:x86-64' \
+	    -ex 'target remote localhost:1234'
+
    + +

    C & GDB

    C program with autotools @@ -74,7 +160,7 @@ thread 1 -

    Stopping and Starting +

    Stopping and Starting multi-thread programs

    @@ -86,8 +172,6 @@
         
             strace -c ./program
         
    
-
-
         Development Index
         
    
         This is part of the c9-doc Manual.
diff --git a/tools/conf/etc/fonts/local.conf b/tools/conf/etc/fonts/local.conf
new file mode 100644
index 0000000..64dc276
--- /dev/null
+++ b/tools/conf/etc/fonts/local.conf
@@ -0,0 +1,1542 @@
+
+
+
+
+	
+
+	
+
+	
+	
+		
+			96
+		
+	
+
+	
+	
+	
+	true
+	
+	
+
+	
+	
+	
+	unknown
+	
+	
+	rgb
+	
+	
+
+	
+
+	
+
+	
+	
+		
+		
+			Franklin Gothic Medium
+			Frutiger Linotype
+			
+			Lucida Sans Unicode
+		
+		
+		
+			13.4
+		
+		
+		
+			medium
+		
+		
+		
+			roman
+		
+		
+		
+			false
+		
+
+	
+
+	
+	
+	
+	
+	Comic Sans MS
+	
+	
+	15
+	
+	
+	medium
+	
+	
+	roman
+	
+	
+	false
+	
+	
+
+	
+	
+		
+			Georgia
+			Lucida Sans
+			Lucida Sans Typewriter
+			
+			Microsoft Sans Serif
+			
+			Tahoma
+			Trebuchet MS
+			Verdana
+		
+		
+			16.1
+		
+		
+			medium
+		
+		
+			roman
+		
+		
+		
+			false
+		
+	
+
+	
+	
+		
+			Arial
+			Arial Narrow
+			Berling Antiqua
+			Book Antiqua
+			Bookman Old Style
+			Garamond
+			
+			Lucida Console
+			Palatino Linotype
+			SylfaenARM
+			Times New Roman
+		
+		
+			17.4
+		
+		
+			medium
+		
+		
+			roman
+		
+		
+			false
+		
+	
+
+	
+	
+	
+	Century Gothic
+	Kartika
+	
+	
+	21.4
+	
+	
+	medium
+	
+	
+	roman
+	
+	
+	false
+	
+	
+
+	
+	
+	
+	Vrinda
+	
+	
+	23
+	
+	
+	medium
+	
+	
+	roman
+	
+	
+	false
+	
+	
+
+	
+	
+	
+	Courier New
+	
+	
+	29.4
+	
+	
+	medium
+	
+	
+	roman
+	
+	
+	false
+	
+	
+
+	
+	
+	
+	Georgia
+	
+	
+	12
+	
+	
+	medium
+	
+	
+	roman
+	
+	
+	false
+	
+	
+
+	
+	
+	
+	Tahoma
+	Verdana
+	
+	
+	13.4
+	
+	
+	medium
+	
+	
+	roman
+	
+	
+	false
+	
+	
+
+	
+	
+	
+	Courier New
+	
+	
+	16
+	
+	
+	medium
+	
+	
+	roman
+	
+	
+	false
+	
+	
+
+	
+
+	
+	
+		
+			hintfull
+		
+	
+
+	
+	
+		
+			Bitstream Charter
+			Courier 10 Pitch
+			DejaVu Sans Condensed
+			DejaVu Serif Condensed
+			FreeMono
+			FreeSans
+			FreeSerif
+			Luxi Mono
+			Luxi Sans
+			Luxi Serif
+			MgOpen Canonica
+			MgOpen Cosmetica
+			MgOpen Modata
+			MgOpen Moderna
+			URW Bookman L
+			URW Chancery L
+			URW Gothic L
+			URW Palladio L
+		
+		
+		
+			true
+		
+	
+
+	
+	
+	
+	Arial
+	
+	
+	12
+	
+	
+	13.4
+	
+	
+	medium
+	
+	
+	roman
+	
+	
+	true
+	
+	
+
+	
+	
+	
+	Book Antiqua
+	
+	
+	16
+	
+	
+	medium
+	
+	
+	roman
+	
+	
+	true
+	
+	
+
+	
+	
+	
+	
+	Frutiger Linotype
+	
+	Times New Roman
+	
+	Verdana
+	
+	
+	medium
+	
+	
+	roman
+	
+	
+	true
+	
+	
+
+	
+	
+	
+	
+	7
+	
+	
+	7
+	
+	
+
+	
+	
+	
+	9.4
+	
+	
+	9.4
+	
+	
+
+	
+
+	
+	
+	
+	Arial
+	
+	
+	10.7
+	
+	
+	medium
+	
+	
+	10.7
+	
+	
+
+	
+	
+	
+	
+	0
+	
+	
+	
+	
+	true
+	
+	
+
+	
+
+	
+	
+		
+			Bitstream Charter
+		
+		
+			serif
+		
+	
+
+	
+		
+			Bitstream Vera Sans
+		
+		
+			sans
+		
+	
+	
+	
+	
+		
+			DejaVu Sans
+		
+		
+			sans
+		
+	
+
+	
+	
+	DejaVu Sans Condensed
+	
+	
+	Arial
+	
+	
+
+	
+	
+	
+	
+		
+			Helvetica
+		
+		
+			Sans
+		
+	
+
+	
+		
+			Helvetica Neue
+		
+		
+			Sans
+		
+	
+
+	
+		
+			Lucida
+		
+		
+			Arial
+		
+	
+
+	
+	
+	
+	LucidaBright
+	
+	
+	Arial
+	
+	
+
+	
+	
+	Lucida Bright
+	
+	
+	Arial
+	
+	
+
+	
+	
+	Luxi Sans
+	
+	
+	Arial
+	
+	
+
+	
+	
+	MgOpen Cosmetica
+	
+	
+	Arial
+	
+	
+
+	
+	
+	MgOpen Modata
+	
+	
+	Arial
+	
+	
+
+	
+	
+	MgOpen Moderna
+	
+	
+	Arial
+	
+	
+
+	
+	
+	System
+	
+	
+	Arial
+	
+	
+
+	
+	
+	URW Gothic L
+	
+	
+	Arial
+	
+	
+
+	
+	
+		
+			Verdana
+		
+		
+			Noto Sans
+		
+		
+			Open Sans
+		
+	
+	
+	
+	
+	
+	Bitstream Vera Serif
+	
+	
+	Georgia
+	
+	
+
+	
+	
+	DejaVu Serif
+	
+	
+	Georgia
+	
+	
+
+	
+	
+	DejaVu Serif Condensed
+	
+	
+	Georgia
+	
+	
+
+
+
+	
+	
+	Luxi Serif
+	
+	
+	Georgia
+	
+	
+
+	
+	
+	MgOpen Canonica
+	
+	
+	Georgia
+	
+	
+
+	
+	
+	New Century Schoolbook
+	
+	
+	Georgia
+	
+	
+
+	
+	
+	New York
+	
+	
+	Georgia
+	
+	
+
+	
+	
+	Palatino
+	
+	
+	Georgia
+	
+	
+
+	
+	
+	Times
+	
+	
+	Georgia
+	
+	
+
+	
+	
+	URW Bookman L
+	
+	
+	Georgia
+	
+	
+
+	
+	
+	URW Palladio L
+	
+	
+	Georgia
+	
+	
+
+	
+	
+		
+			Andale Mono
+		
+		
+			monospace
+		
+	
+
+	
+		
+			Bitstream Vera Sans Mono
+		
+		
+			Courier New
+		
+	
+
+	
+		
+			Courier
+		
+		
+			monospace
+		
+	
+
+	
+		
+			DejaVu Sans Mono
+		
+		
+			monospace
+		
+	
+
+	
+	
+	Fixedsys
+	
+	
+	Courier New
+	
+	
+
+	
+
+	
+	
+	
+	LucidaTypewriter
+	
+	
+	Courier New
+	
+	
+
+	
+	
+	Lucida Typewriter
+	
+	
+	Courier New
+	
+	
+
+	
+	
+	Luxi Mono
+	
+	
+	Courier New
+	
+	
+
+	
+	
+	Monaco
+	
+	
+	Courier New
+	
+	
+
+	
+	
+	Terminal
+	
+	
+	Courier New
+	
+	
+
+	
+	
+	
+	Apple Chancery
+	
+	
+	Comic Sans MS
+	
+	
+
+	
+	
+	Lucida Handwriting
+	
+	
+	Comic Sans MS
+	
+	
+
+	
+	
+	URW Chancery L
+	
+	
+	Comic Sans MS
+	
+	
+
+	
+	
+	Zapf Chancery
+	
+	
+	Comic Sans MS
+	
+	
+
+	
+	
+	
+	Copperplate
+	
+	
+	Impact
+	
+	
+
+	
+	
+	Desdemona
+	
+	
+	Impact
+	
+	
+
+	
+	
+	Kino
+	
+	
+	Impact
+	
+	
+
+	
+	
+	Techno
+	
+	
+	Impact
+	
+	
+
+	
+	
+	
+	
+	cursive
+	
+	Comic Sans MS
+	
+	
+
+	
+	fantasy
+	
+	Impact
+	
+	
+
+	
+
+	
+	
+	
+	
+		
+			Arial
+		
+		
+			12.0
+		
+		
+			droid sans
+		
+	
+	
+	
+	
+	
+		
+			Arial
+		
+		
+			13.0
+		
+		
+			noto sans
+		
+	
+	
+	
+	
+		
+			Arial
+		
+		
+			noto sans
+		
+	
+	
+	
+	
+		
+			Georgia
+		
+		
+			Noto Serif
+		
+	
+	
+	
+	
+	
+		
+			noto sans
+		
+		
+			true
+		
+		
+			hintfull
+		
+	
+	
+	
+	
+		
+			ubuntu
+		
+		
+			true
+		
+		
+			hintfull
+		
+	
+	
+	
+	
+		
+			Droid Sans
+			Droid Sans Mono
+		
+		
+			false
+		
+		
+			hintfull
+		
+	
+
+	
+	
+		
+			liberation mono
+		
+		
+			false
+		
+		
+			hintmedium
+		
+	
+	
+	
+
+	
+	
+	
+	
+	
+	
+		
+			noto sans
+		
+		
+			16
+		
+		
+			medium
+		
+		
+			true
+		
+		
+			hintslight
+		
+	
+	
+	
+	
+		
+			noto sans
+		
+		
+			16
+		
+		
+			medium
+		
+		
+			true
+		
+		
+			true
+		
+		
+			hintslight
+		
+	
+	
+	
+	
+	
+	
+	
+	
+	
+	
+	
+	
+	
+	
+	
+	
+	
+	
+
+	
+	
+		
+			monospace
+		
+		
+			Droid Sans Mono
+		
+	
+
+	
+	
+		
+			sans-serif
+		
+		
+			Noto Sans
+		
+	
+
+	
+	
+		
+			Courier New
+		
+		
+			Droid Sans Mono
+		
+	
+
+
+
+
+
+
+	
+	
+		
+			Times New Roman
+			serif
+		
+		
+		
+			Noto Serif
+		
+	
+	
+	
+	
+	
+		
+			Lucida Grande
+		
+		
+			medium
+		
+		
+			hintslight
+		
+	
+
+	
+	
+	
+		
+			Lucida Console
+		
+		
+			true
+		
+		
+			false
+		
+		
+			hintfull
+		
+	
+	
+	
+	
+		
+			Open Sans
+		
+		
+			true
+		
+		
+			hintfull
+		
+	
+
+	
+
+	
+	
+	
+	
+		
+			hi
+		
+		
+			Lohit Hindi
+		
+	
+
+	
+	
+		
+			gargi
+			Lohit Hindi
+		
+		
+			true
+		
+		
+			true
+		
+		
+			hintslight
+		
+	
+
+	
+	
+		
+			mangal
+		
+		
+			Lohit Hindi
+		
+	 
+	
+
+
+ 
diff --git a/tools/conf/etc/iptables/iptables-br.sh b/tools/conf/etc/iptables/iptables-br.sh
new file mode 100644
index 0000000..104e574
--- /dev/null
+++ b/tools/conf/etc/iptables/iptables-br.sh
@@ -0,0 +1,318 @@
+#!/bin/sh
+
+#
+#                                XXXXXXXXXXXXXXXXX
+#                                XXXX Network XXXX
+#                                XXXXXXXXXXXXXXXXX
+#                                        +
+#                                        |
+#                                        v
+#  +-------------+              +------------------+
+#  |table: filter| <---+        | table: nat       |
+#  |chain: INPUT |     |        | chain: PREROUTING|
+#  +-----+-------+     |        +--------+---------+
+#        |             |                 |
+#        v             |                 v
+#  [local process]     |           ****************          +--------------+
+#        |             +---------+ Routing decision +------> |table: filter |
+#        v                         ****************          |chain: FORWARD|
+# ****************                                           +------+-------+
+# Routing decision                                                  |
+# ****************                                                  |
+#        |                                                          |
+#        v                        ****************                  |
+# +-------------+       +------>  Routing decision  <---------------+
+# |table: nat   |       |         ****************
+# |chain: OUTPUT|       |               +
+# +-----+-------+       |               |
+#       |               |               v
+#       v               |      +-------------------+
+# +--------------+      |      | table: nat        |
+# |table: filter | +----+      | chain: POSTROUTING|
+# |chain: OUTPUT |             +--------+----------+
+# +--------------+                      |
+#                                       v
+#                               XXXXXXXXXXXXXXXXX
+#                               XXXX Network XXXX
+#                               XXXXXXXXXXXXXXXXX
+#
+# iptables [-t table] {-A|-C|-D} chain rule-specification
+#
+# iptables [-t table] {-A|-C|-D} chain  rule-specification
+#
+# iptables  [-t table] -I chain [rulenum] rule-specification
+#
+# iptables [-t table] -R chain rulenum  rule-specification
+#
+# iptables [-t table] -D chain rulenum
+#
+# iptables [-t table] -S [chain [rulenum]]
+#
+# iptables  [-t  table]  {-F|-L|-Z} [chain [rulenum]] [options...]
+#
+# iptables [-t table] -N chain
+#
+# iptables [-t table] -X [chain]
+#
+# iptables [-t table] -P chain target
+#
+# iptables [-t table]  -E  old-chain-name  new-chain-name
+#
+# rule-specification = [matches...] [target]
+#
+# match = -m matchname [per-match-options]
+#
+#
+# Targets
+#
+# can be a user defined chain
+#
+# ACCEPT - accepts the packet
+# DROP   - drop the packet on the floor
+# QUEUE  - packet will be stent to queue
+# RETURN - stop traversing this chain and
+#          resume ate the next rule in the
+#          previeus (calling) chain.
+#
+# if packet reach the end of the chain or
+# a target RETURN, default policy for that
+# chain is applayed.
+#
+# Target Extensions
+#
+# AUDIT
+# CHECKSUM
+# CLASSIFY
+# DNAT
+# DSCP
+# LOG
+#     Torn on kernel logging, will print some
+#     some information on all matching packets.
+#     Log data can be read with dmesg or syslogd.
+#     This is a non-terminating target and a rule
+#     should be created with matching criteria.
+#
+#     --log-level level
+#           Level of logging (numeric or see sys-
+#           log.conf(5)
+#
+#     --log-prefix prefix
+#           Prefix log messages with specified prefix
+#           up to 29 chars log
+#
+#     --log-uid
+#           Log the userid of the process with gener-
+#           ated the packet
+# NFLOG
+#     This target pass the packet to loaded logging
+#     backend to log the packet. One or more userspace
+#     processes may subscribe to the group to receive
+#     the packets.
+#
+# ULOG
+#     This target provides userspace logging of maching
+#     packets. One or more userspace processes may then
+#     then subscribe to various multicast groups and
+#     then receive the packets.
+#
+#
+# Commands
+#
+# -A, --append chain rule-specification
+# -C, --check chain rule-specification
+# -D, --delete chain rule-specification
+# -D, --delete chain rulenum
+# -I, --insert chain [rulenum] rule-specification
+# -R, --replace chain rulenum rule-specification
+# -L, --list [chain]
+# -P, --policy chain target
+#
+# Parameters
+#
+# -p, --protocol protocol
+#       tcp, udp, udplite, icmp, esp, ah, sctp, all
+# -s, --source address[/mask][,...]
+# -d, --destination address[/mask][,...]
+# -j, --jump target
+# -g, --goto chain
+# -i, --in-interface name
+# -o, --out-interface name
+# -f, --fragment
+# -m, --match options module-name
+#       iptables can use extended packet matching
+#       modules.
+# -c, --set-counters packets bytes
+
+IPT="/usr/sbin/iptables"
+SPAMLIST="blockedip"
+SPAMDROPMSG="BLOCKED IP DROP"
+# public interface to network/internet
+PUB_IF="wlp7s0"
+DHCP_SERV="192.168.1.1"
+PUB_IP="192.168.1.33"
+NET_ADDR="192.168.1.0/24"
+# private interface for virtual/internal
+PRIV_IF="br0"
+PRIV_IP="10.0.0.1"
+
+modprobe ip_conntrack
+modprobe ip_conntrack_ftp
+
+echo "Stopping ipv4 firewall and deny everyone..."
+
+iptables -F
+iptables -X
+iptables -t nat -F
+iptables -t nat -X
+iptables -t mangle -F
+iptables -t mangle -X
+iptables -t raw -F
+iptables -t raw -X
+iptables -t security -F
+iptables -t security -X
+
+
+echo "Starting ipv4 firewall filter table..."
+
+# Set Default Rules
+iptables -P INPUT DROP
+iptables -P FORWARD DROP
+iptables -P OUTPUT DROP
+
+###### AP rules  ######
+echo 1 > /proc/sys/net/ipv4/ip_forward
+$IPT -A FORWARD -i ${PRIV_IF} -o ${PUB_IF} -j ACCEPT
+$IPT -A FORWARD -i ${PUB_IF} -o ${PRIV_IF} -j ACCEPT
+$IPT -t nat -A POSTROUTING -o ${PUB_IF} -j SNAT --to ${PUB_IP}
+
+# Block sync
+$IPT -A INPUT -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 7 --log-prefix "iptables: drop sync: "
+$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
+
+# Block Fragments
+$IPT -A INPUT -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop frag: "
+$IPT -A INPUT -f -j DROP
+
+# Block bad stuff
+$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
+$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
+
+$IPT -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop null: "
+$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
+
+$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop syn rst syn rst: "
+$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
+
+$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop xmas: "
+$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
+
+$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "iptables: drop fin scan: "
+$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
+
+$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
+
+
+###### Input Chain ######
+
+# Unlimited on local
+$IPT -A INPUT -i ${PRIV_IF} -j ACCEPT
+#$IPT -A INPUT -i lo -s ${PRIV_IP} -j ACCEPT
+
+# Unlimited on loopback
+$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+$IPT -A INPUT -i lo -s 192.168.1.33 -d 192.168.1.33 -j ACCEPT
+
+echo "Allow input from DNS Server"
+$IPT -A INPUT -i ${PUB_IF} -p udp --dport 1024:65535 --sport 53 -m state --state ESTABLISHED -j ACCEPT
+
+echo "Allow input from Https server"
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+$IPT -A INPUT -i ${PUB_IF} -p udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+
+echo "Allow input to HTTPS Server"
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
+
+#echo "Allow input from HTTP Server"
+#$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+
+echo "Allow input from IRC server"
+$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 1024:65535 --sport 6667 -m state --state ESTABLISHED -j ACCEPT
+
+echo "Allow input from FTP server"
+$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 1024:65535 --sport 21 -m state --state ESTABLISHED -j ACCEPT
+
+echo "Allow input from git server"
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+
+echo "Allow input from POP3S server"
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+
+echo "Allow input from SMTPS server"
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+
+echo "Allow input to HTTP Server"
+$IPT -A INPUT -i ${PUB_IF} -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+
+#echo "Allow input to DNS Server"
+#$IPT -A INPUT -i ${PUB_IF} -p udp --sport 1024:65535 --dport 53  -m state --state NEW,ESTABLISHED -s 192.168.0.0/16 -j ACCEPT
+
+echo "Allow input to SSH server"
+$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+
+###### Output Chain ######
+
+# Unlimited on loopback
+$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+$IPT -A OUTPUT -o lo -s 192.168.1.33 -d 192.168.1.33 -j ACCEPT
+#$IPT -A OUTPUT -o lo -d ${PRIV_IP} -j ACCEPT
+
+# Unlimited on local
+$IPT -A OUTPUT -o ${PRIV_IF} -j ACCEPT
+
+echo "Allow output to DNS server"
+$IPT -A OUTPUT -o ${PUB_IF} -p udp --dport 53 --sport 1024:65535 -j ACCEPT
+
+echo "Allow output to https server"
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
+$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 1024:65535 --dport 443  -j ACCEPT
+
+echo "Allow output from https server"
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+#echo "Allow output from http server"
+#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+#echo "Allow to HTTP server"
+#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+
+echo "Allow output to SSH server"
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT
+
+echo "Allow output to ftp server"
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
+
+echo "Allow output to git server"
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT
+
+echo "Allow output to IRC  server"
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT
+
+echo "Allow output to SMTPS server"
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 465 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+
+echo "Allow output to POP3S server"
+$IPT -A OUTPUT -o ${PUB_IF} -p tcp --dport 995 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
+
+## less logs
+
+echo "Drop RIP protocol"
+$IPT -A INPUT -i ${PUB_IF} -p udp --sport 520 --dport 520 -s $NET_ADDR -j DROP
+
+$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 68 --dport 67 -d $DHCP_SERV -j ACCEPT
+
+## log everything else and drop
+$IPT -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: "
+$IPT -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: "
+$IPT -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: "
+#
+exit 0
diff --git a/tools/conf/etc/iptables/vlan.v4 b/tools/conf/etc/iptables/vlan.v4
index 9248630..7954521 100644
--- a/tools/conf/etc/iptables/vlan.v4
+++ b/tools/conf/etc/iptables/vlan.v4
@@ -1,170 +1,112 @@
-# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016
+# Generated by iptables-save v1.6.1 on Wed Mar 15 20:53:45 2017
 *security
-:INPUT ACCEPT [6:2056]
+:INPUT ACCEPT [85:6694]
 :FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [6:2056]
+:OUTPUT ACCEPT [3:179]
 COMMIT
-# Completed on Sat Oct 15 17:20:41 2016
-# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016
+# Completed on Wed Mar 15 20:53:45 2017
+# Generated by iptables-save v1.6.1 on Wed Mar 15 20:53:45 2017
 *raw
-:PREROUTING ACCEPT [7:2092]
-:OUTPUT ACCEPT [6:2056]
+:PREROUTING ACCEPT [97:7863]
+:OUTPUT ACCEPT [3:179]
 COMMIT
-# Completed on Sat Oct 15 17:20:41 2016
-# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016
+# Completed on Wed Mar 15 20:53:45 2017
+# Generated by iptables-save v1.6.1 on Wed Mar 15 20:53:45 2017
+*nat
+:PREROUTING ACCEPT [6:683]
+:INPUT ACCEPT [2:138]
+:OUTPUT ACCEPT [2:131]
+:POSTROUTING ACCEPT [2:131]
+COMMIT
+# Completed on Wed Mar 15 20:53:45 2017
+# Generated by iptables-save v1.6.1 on Wed Mar 15 20:53:45 2017
 *mangle
-:PREROUTING ACCEPT [7:2092]
-:INPUT ACCEPT [6:2056]
+:PREROUTING ACCEPT [8:624]
+:INPUT ACCEPT [8:624]
 :FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [6:2056]
-:POSTROUTING ACCEPT [6:2056]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
 COMMIT
-# Completed on Sat Oct 15 17:20:41 2016
-# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016
+# Completed on Wed Mar 15 20:53:45 2017
+# Generated by iptables-save v1.6.1 on Wed Mar 15 20:53:45 2017
 *filter
 :INPUT DROP [0:0]
-:FORWARD ACCEPT [0:0]
+:FORWARD DROP [0:0]
 :OUTPUT DROP [0:0]
+:ACCEPTLOG - [0:0]
+:DROPLOG - [0:0]
+:REJECTLOG - [0:0]
+:RELATED_ICMP - [0:0]
+:SYN_FLOOD - [0:0]
 -A INPUT -i lo -j ACCEPT
--A INPUT -i br0 -j ACCEPT
--A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7
--A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
--A INPUT -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: "
--A INPUT -f -j DROP
+-A INPUT -p icmp -m limit --limit 1/sec --limit-burst 2 -j ACCEPT
+-A INPUT -p icmp -m limit --limit 1/sec --limit-burst 2 -j LOG --log-prefix "PING-DROP:"
+-A INPUT -p icmp -j DROP
+-A INPUT -p icmp -f -j DROPLOG
+-A INPUT -p icmp -m state --state ESTABLISHED -m limit --limit 3/sec --limit-burst 8 -j ACCEPT
+-A INPUT -p icmp -m state --state RELATED -m limit --limit 3/sec --limit-burst 8 -j RELATED_ICMP
+-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 8 -j ACCEPT
+-A INPUT -p icmp -j DROPLOG
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
+-A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
+-A INPUT -m state --state INVALID -j DROP
+-A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
+-A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
 -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop null: "
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
--A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop syn rst syn rs"
 -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop xmas: "
 -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
--A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop fin scan: "
--A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
--A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-#################################################################################
-#	INPUT
-#	Established connections and passive
-#
-
-# Allow established from dns server
-#-A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-# INPUT accept passive
--A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED -j ACCEPT
-
-
-# Allow irc
--A INPUT -p tcp -m tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-# Allow xmmp
--A INPUT -p tcp -m tcp --sport 5222 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
-# Allow established from https server
--A INPUT -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
--A INPUT -p udp -m udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-
-# Allow established from http server
--A INPUT -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-# Allow established from rsync server
--A INPUT -p tcp -m tcp --sport 873 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-# Allow established from pop3s server
--A INPUT -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-# Allow established from smtps server
--A INPUT -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-# Allow established from ntp server
--A INPUT -p udp -m udp --sport 123 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-# Allow established from whois server
--A INPUT -p tcp -m tcp --sport 43 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-# Allow established from ftp server
--A INPUT -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A INPUT -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A INPUT -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-##################################################################################
-#	INPUT
-#	New and established connections to local servers
-#
-
-# allow ping
--A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
--A INPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
-
-# INPUT accept to dns server
--A INPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-
-# INPUT accept from wlp7s0 to https server
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROPLOG
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROPLOG
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROPLOG
+-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROPLOG
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROPLOG
+-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROPLOG
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROPLOG
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j SYN_FLOOD
+-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROPLOG
+-A INPUT -f -j DROPLOG
 -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-# INPUT accept from wlp7s0 to ssh server
--A INPUT -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state ESTABLISHED -j ACCEPT
--A INPUT -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW -m limit --limit 6/min --limit-burst 3 -j ACCEPT
-
--A FORWARD -i br0 -j ACCEPT
-
--A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7
--A FORWARD -j LOG --log-prefix "iptables: FORWARD: " --log-level 7
-
-##################################################################################
-#	Output
-#	Connections to remote servers
-#
+-A INPUT -j DROPLOG
+-A FORWARD -p icmp -f -j DROPLOG
+-A FORWARD -p icmp -j DROPLOG
+-A FORWARD -m state --state INVALID -j DROP
+-A FORWARD -j REJECTLOG
 -A OUTPUT -o lo -j ACCEPT
--A OUTPUT -o br0 -j ACCEPT
-
-# Allow ping
--A OUTPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-# Allow to ssh clients
+-A OUTPUT -p icmp -j ACCEPT
+-A OUTPUT -p icmp -f -j DROPLOG
+-A OUTPUT -p icmp -m state --state ESTABLISHED -m limit --limit 3/sec --limit-burst 8 -j ACCEPT
+-A OUTPUT -p icmp -m state --state RELATED -m limit --limit 3/sec --limit-burst 8 -j RELATED_ICMP
+-A OUTPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 8 -j ACCEPT
+-A OUTPUT -p icmp -j DROPLOG
+-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
+-A OUTPUT -m state --state INVALID -j DROP
+-A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
 -A OUTPUT -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-
-# Allow to dns
-#-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-# Allow from dns server
--A OUTPUT -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-
-# Allow irc
+-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT
-# Allow xmmp
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 5222 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-
-
-# Allow to rsync server
+-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 5222 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
 -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
-# Allow to pop3s server
 -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
-# Allow to smtps server
 -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT
-# Allow to ntp server
 -A OUTPUT -p udp -m udp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
-# Allow to ftp server
 -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT
-# Allow to https server
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
--A OUTPUT -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-# Allow to http server
+-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
 -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-
-##################################################################################
-#	Output
-#	Connections from local servers
-#
-
-
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED -j ACCEPT
--A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state NEW -j ACCEPT
-
-
--A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7
-COMMIT
-# Completed on Sat Oct 15 17:20:41 2016
-# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016
-*nat
-:PREROUTING ACCEPT [1:36]
-:INPUT ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-:POSTROUTING ACCEPT [0:0]
-
--A POSTROUTING -s 10.0.0.0/24 -d 10.0.0.0/24 -j ACCEPT
--A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE
-#-A POSTROUTING -o wlp7s0 -j MASQUERADE
-
+-A OUTPUT -j DROPLOG
+-A ACCEPTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: ACCEPT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options
+-A ACCEPTLOG -j ACCEPT
+-A DROPLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: DROP " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options
+-A DROPLOG -j DROP
+-A REJECTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: REJECT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options
+-A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset
+-A REJECTLOG -j REJECT --reject-with icmp-port-unreachable
+-A RELATED_ICMP -p icmp -m icmp --icmp-type 3 -j ACCEPT
+-A RELATED_ICMP -p icmp -m icmp --icmp-type 11 -j ACCEPT
+-A RELATED_ICMP -p icmp -m icmp --icmp-type 12 -j ACCEPT
+-A RELATED_ICMP -j DROPLOG
+-A SYN_FLOOD -m limit --limit 2/sec --limit-burst 6 -j RETURN
+-A SYN_FLOOD -j DROP
 COMMIT
-# Completed on Sat Oct 15 17:20:41 2016
+# Completed on Wed Mar 15 20:53:45 2017
diff --git a/tools/conf/etc/nginx/sites-enabled/default.conf b/tools/conf/etc/nginx/sites-enabled/default.conf
index 4e01b88..f7c3484 100644
--- a/tools/conf/etc/nginx/sites-enabled/default.conf
+++ b/tools/conf/etc/nginx/sites-enabled/default.conf
@@ -1,49 +1,103 @@
-
 server {
+
+#listen 443 ssl http2;
     listen 443 ssl;
-    # listen [::]:443 ssl;
 
+#    listen 80;
     server_name c9.core;
 
-    root /srv/www/default;
+#  listen [::]:443 ssl http2;
+    ssl_certificate /etc/letsencrypt/live/c9.core/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/c9.core/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/c9.core/chain.pem;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_tickets off;
+    ssl_protocols TLSv1.2;
+    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+    ssl_prefer_server_ciphers on;
+    add_header Strict-Transport-Security max-age=15768000;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    access_log /var/log/nginx/access.log;
+    error_log  /var/log/nginx/error.log;
+
+
+    root /srv/www;
+
+    location /ports/distfiles {
+        alias /usr/ports/distfiles;
+    }
+
+    location /ports/packages {
+        alias /usr/ports/distfiles;
+    }
+
+    location /doc {
+        alias /srv/www/c9-doc;
+        index index.html;
+    }
 
-    location /distfiles {
-    	alias /usr/ports/distfiles;
+    location /git/static {
+# static files (png/css) served from /usr/share/gitweb/static
+        alias /srv/www/gitweb/static;
+        expires 30d;
     }
 
+    location /git {
+        alias /srv/www/gitweb;
+        index gitweb.cgi;
+        fastcgi_split_path_info      ^/git()(/?.+)$;
+        fastcgi_param GITWEB_CONFIG  /etc/gitweb.conf;
+        fastcgi_param DOCUMENT_ROOT  /srv/www/gitweb;
+        fastcgi_param SCRIPT_NAME    /gitweb.cgi$fastcgi_path_info;
 
-    location /bug {
+        include fastcgi_params;
+        fastcgi_pass unix:/var/run/fcgiwrap.sock;
+    }
+
+    location /task {
         index index.php;
-    	alias /srv/www/default/flyspray;
+        alias /srv/www/c9-flyspray;
         try_files $uri $uri/ index.php$is_args$args;
     }
 
-    location ~  ^/bug(.+\.php)$ { ### This location block was the solution
-    	alias /srv/www/default/flyspray;
-
-	fastcgi_split_path_info ^(.+\.php)(/.+)$;
+    location ~  ^/task(.+\.php)$ { ### This location block was the solution
+        alias /srv/www/c9-flyspray;
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
         fastcgi_index index.php;
         try_files $uri /index.php =404;	
         include /etc/nginx/fastcgi_params;
         fastcgi_param SCRIPT_FILENAME $document_root$1;
-        # fastcgi_pass unix:/var/run/php5-fpm.sock;
+# fastcgi_pass unix:/var/run/php5-fpm.sock;
         fastcgi_pass 127.0.0.1:9000;
     }
 
     location / {
-    	alias /srv/www/default/pmwiki/;
-	index pmwiki.php
+        alias /srv/www/c9-pmwiki/;
+        index pmwiki.php;
         try_files $uri $uri/ /pmwiki.php$is_args$args;
     }
 
+# ACME challenge
+    location ^~ /.well-known {
+        allow all;
+        alias /srv/www/c9-pmwiki/pub/cert/.well-known/;
+        default_type "text/plain";
+        try_files $uri =404;
+    }
+
+
     location ~ \.php$ {
-    	alias /srv/www/default/pmwiki;
+        alias /srv/www/c9-pmwiki;
+        index pmwiki.php;
         fastcgi_split_path_info ^(.+\.php)(/.+)$;
         fastcgi_index pmwiki.php;
         try_files $uri /pmwiki.php =404;
         include /etc/nginx/fastcgi_params;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-        # fastcgi_pass unix:/var/run/php5-fpm.sock;
+# fastcgi_pass unix:/var/run/php5-fpm.sock;
         fastcgi_pass 127.0.0.1:9000;
     }
 }
diff --git a/tools/conf/etc/ssh/sshd_config b/tools/conf/etc/ssh/sshd_config
index f0619fe..cba9be5 100644
--- a/tools/conf/etc/ssh/sshd_config
+++ b/tools/conf/etc/ssh/sshd_config
@@ -1,4 +1,4 @@
-#	$OpenBSD: sshd_config,v 1.98 2016/02/17 05:29:04 djm Exp $
+#	$OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
 
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
@@ -16,45 +16,28 @@ AddressFamily inet
 #ListenAddress 0.0.0.0
 #ListenAddress ::
 
-# The default requires explicit activation of protocol 1
-Protocol 2
-
-# HostKey for protocol version 1
-#HostKey /etc/ssh/ssh_host_key
-# HostKeys for protocol version 2
 #HostKey /etc/ssh/ssh_host_rsa_key
 #HostKey /etc/ssh/ssh_host_dsa_key
 #HostKey /etc/ssh/ssh_host_ecdsa_key
 #HostKey /etc/ssh/ssh_host_ed25519_key
 
-# Lifetime and size of ephemeral version 1 server key
-#KeyRegenerationInterval 1h
-#ServerKeyBits 1024
-
 # Ciphers and keying
 #RekeyLimit default none
-Ciphers aes256-ctr,aes192-ctr,aes128-ctr
 
 # Logging
-# obsoletes QuietMode and FascistLogging
 #SyslogFacility AUTH
 #LogLevel INFO
 LogLevel VERBOSE
 
 # Authentication:
 
-LoginGraceTime 1m
+#LoginGraceTime 2m
 #PermitRootLogin prohibit-password
-PermitRootLogin no
 #StrictModes yes
 #MaxAuthTries 6
-MaxAuthTries 3
 #MaxSessions 10
 
-#RSAAuthentication yes
-PubkeyAuthentication yes
-
-AllowGroups admin users gitolite
+#PubkeyAuthentication yes
 
 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
 # but this is overridden so installations will only check .ssh/authorized_keys
@@ -66,23 +49,19 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #AuthorizedKeysCommandUser nobody
 
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#RhostsRSAAuthentication no
-# similar for protocol version 2
 #HostbasedAuthentication no
 # Change to yes if you don't trust ~/.ssh/known_hosts for
-# RhostsRSAAuthentication and HostbasedAuthentication
+# HostbasedAuthentication
 #IgnoreUserKnownHosts no
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes
 
 # To disable tunneled clear text passwords, change to no here!
 #PasswordAuthentication yes
-PasswordAuthentication no
 #PermitEmptyPasswords no
 
 # Change to no to disable s/key passwords
 #ChallengeResponseAuthentication yes
-ChallengeResponseAuthentication no
 
 # Kerberos options
 #KerberosAuthentication no
@@ -116,7 +95,6 @@ ChallengeResponseAuthentication no
 #PrintLastLog yes
 #TCPKeepAlive yes
 #UseLogin no
-UsePrivilegeSeparation sandbox
 #PermitUserEnvironment no
 #Compression delayed
 #ClientAliveInterval 0
diff --git a/tools/nginx.html b/tools/nginx.html
index a85cf0e..ef78ecb 100644
--- a/tools/nginx.html
+++ b/tools/nginx.html
@@ -43,7 +43,7 @@
 
         
    2. Certificates
    
 
-        
    2.1. Lets encrypt
    
+        
    2.1. Lets encrypt
    
 
         
    Example of nginx location block on public pmwiki setup;
    
 
@@ -57,6 +57,12 @@
         }
    +

    First run dryrun to test if everything is ok;

    + + 
    +        # certbot certonly --dry-run --email user@mail.org --webroot -w /srv/www/c9-pmwiki/pub/cert/-d c9.root.sx
+
    + 
             # certbot certonly --email user@mail.org --webroot -w /srv/www/c9-pmwiki/pub/cert/-d c9.root.sx
    diff --git a/tools/qemu.html b/tools/qemu.html index c914d74..fc0f15c 100644 --- a/tools/qemu.html +++ b/tools/qemu.html @@ -234,11 +234,89 @@

    Set guests machines to run under the total resolution provided by host system configure grub on the guest with gfxmode;

    +

    Guest Graphics

    + +

    Get current resolution on host machine;

    + 
    -        GRUB_GFXMODE=640x480
+        $ xrandr --current | fgrep '*'
+            1366x768      60.00*+
+
    + +

    Set grub gfxmod on guest machine, edit /etc/default/grub;

    + + 
    +        GRUB_GFXMODE=1366x768
         GRUB_GFXPAYLOAD_LINUX=keep
    +

    Update grub configuration on guest machine;

    + + 
    +        # update-grub
+
    + +

    Guest Sound

    + +

    Check if DMAR is enable on kernel configuration, + Intel and AMD uses different technology. To check on + Inter machine run;

    + + 
    +	# grep -e DMAR -e IOMMU
+
    + +

    runvm/profile/crux

    + + 
    +        export QEMU_AUDIO_DRV=alsa
+        #export QEMU_AUDIO_DRV=sdl
+
+
+        #boot=$1
+        boot=c
+
+        iso=iso/crux-3.2.iso
+        #iso=$2
+
+        #image=$3
+        image=img/crux-img.qcow2
+
+        #tap=$4
+        tap="tap1"
+
+        #mac=$(rmac_addr)
+        mac="54:60:be:ef:5c:72"
+
+        other="-soundhw hda"
+
    + +

    runvm/runvm.sh

    + + 
    +        function rmac_addr (){
+        printf '54:60:BE:EF:%02X:%02X\n' $((RANDOM%256)) $((RANDOM%256))
+        }
+
+        source profile/$1
+        boot=$2
+
+        #mac=$(rmac_addr)
+
+        qemu-system-x86_64 \
+            -enable-kvm \
+            -m 1024 \
+            -boot ${boot} \
+            -cdrom ${iso} \
+            -hda ${image} \
+            -vga std \
+            -display sdl \
+            -device e1000,netdev=t0,mac=${mac} \
+            -netdev tap,id=t0,ifname=${tap},script=no,downscript=no \
+            ${other} \
+            &>
+
    + Tools Index

    This is part of the c9 Manual. Copyright (C) 2016 diff --git a/tools/scripts/pkgmk-test.conf b/tools/scripts/pkgmk-test.conf index db9978d..1ebdccb 100644 --- a/tools/scripts/pkgmk-test.conf +++ b/tools/scripts/pkgmk-test.conf @@ -2,11 +2,13 @@ # /etc/pkgmk.conf: pkgmk(8) configuration # -export CFLAGS="-O2 -march=x86-64" +export CPPFLAGS="-D_FORTIFY_SOURCE=2" +export CFLAGS="-O2 -march=native -mtune=native -pipe -fPIC -fPIE -fstack-protector-strong --param=ssp-buffer-size=4 -fno-plt -fstack-check" export CXXFLAGS="${CFLAGS}" - +export LDFLAGS="-fPIE -pie -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now" export MAKEFLAGS="-j4" + case ${PKGMK_ARCH} in "64"|"") ;; @@ -34,5 +36,3 @@ PKGMK_SOURCE_MIRRORS=(https://c9.root.sx/ports/distfiles/) # PKGMK_WGET_OPTS="" # PKGMK_CURL_OPTS="" # PKGMK_COMPRESSION_MODE="gz" - - diff --git a/tools/scripts/pkgmk-test.sh b/tools/scripts/pkgmk-test.sh index 5509ac2..a279967 100644 --- a/tools/scripts/pkgmk-test.sh +++ b/tools/scripts/pkgmk-test.sh @@ -2,4 +2,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" CONF=${DIR}/pkgmk-test.conf -fakeroot pkgmk -cf $CONF -d $1 +fakeroot pkgmk -cf $CONF -d -is $1 -- cgit 1.4.1-2-gfad0