bogdan/zira-etc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

daily autocommit

Browse Source
This commit is contained in:
Bogdan Stoica
2023-06-24 11:25:47 +03:00
parent 9b764da8f5
commit 43d4d203a1
106 changed files with 6 additions and 697995 deletions
Download Patch File Download Diff File Expand all files Collapse all files

123
.etckeeper
View File

@@ -18,11 +18,11 @@ mkdir -p './cagefs/conf.d'
mkdir -p './cagefs/exclude'
mkdir -p './chkconfig.d'
mkdir -p './cl.selector/php.extensions.d'
mkdir -p './cloud'
mkdir -p './cron.weekly'
mkdir -p './crypto-policies/policies/modules'
mkdir -p './cups/ppd'
mkdir -p './cups/ssl'
mkdir -p './cxs/newusers'
mkdir -p './dbus-1/session.d'
mkdir -p './dconf/db/local.d/locks'
mkdir -p './dconf/db/site.d/locks'
@@ -96,6 +96,7 @@ mkdir -p './rhsm/ca'
mkdir -p './rhsm/facts'
mkdir -p './rhsm/pluginconf.d'
mkdir -p './rspamd/override.d'
mkdir -p './samba'
mkdir -p './scl/modulefiles'
mkdir -p './security/console.perms.d'
mkdir -p './security/namespace.d'
@@ -175,7 +176,6 @@ maybe chmod 0644 'almalinux-release-upstream'
maybe chmod 0755 'alternatives'
maybe chmod 0755 'amavisd'
maybe chmod 0644 'amavisd/amavisd.conf'
maybe chmod 0644 'amavisd/amavisd.conf.rpmnew'
maybe chmod 0644 'amavisd/whitelist'
maybe chmod 0644 'anacrontab'
maybe chmod 0755 'ansible'
@@ -270,7 +270,6 @@ maybe chmod 0644 'bash_completion.d/redefine_filedir'
maybe chmod 0644 'bash_completion.d/scl'
maybe chmod 0644 'bash_completion.d/torsocks'
maybe chmod 0644 'bashrc'
maybe chmod 0644 'bashrc.rpmnew'
maybe chmod 0644 'bindresvport.blacklist'
maybe chmod 0755 'binfmt.d'
maybe chmod 0755 'cagefs'
@@ -279,7 +278,6 @@ maybe chmod 0755 'cagefs/exclude'
maybe chmod 0644 'cczerc'
maybe chmod 0755 'chkconfig.d'
maybe chmod 0644 'chrony.conf'
maybe chmod 0644 'chrony.conf.rpmnew'
maybe chgrp 'chrony' 'chrony.keys'
maybe chmod 0640 'chrony.keys'
maybe chmod 0755 'cifs-utils'
@@ -301,12 +299,6 @@ maybe chmod 0644 'clamav-unofficial-sigs/user.conf'
maybe chown 'amavis' 'clamd.conf'
maybe chgrp 'amavis' 'clamd.conf'
maybe chmod 0640 'clamd.conf'
maybe chown 'amavis' 'clamd.conf.rpmnew'
maybe chgrp 'amavis' 'clamd.conf.rpmnew'
maybe chmod 0644 'clamd.conf.rpmnew'
maybe chown 'amavis' 'clamd.conf.rpmsave'
maybe chgrp 'amavis' 'clamd.conf.rpmsave'
maybe chmod 0644 'clamd.conf.rpmsave'
maybe chown 'amavis' 'clamd.d'
maybe chgrp 'amavis' 'clamd.d'
maybe chmod 0755 'clamd.d'
@@ -316,14 +308,7 @@ maybe chmod 0644 'clamd.d/amavisd.conf'
maybe chown 'amavis' 'clamd.d/scan.conf'
maybe chgrp 'amavis' 'clamd.d/scan.conf'
maybe chmod 0644 'clamd.d/scan.conf'
maybe chown 'amavis' 'clamd.d/scan.conf.rpmnew'
maybe chgrp 'amavis' 'clamd.d/scan.conf.rpmnew'
maybe chmod 0644 'clamd.d/scan.conf.rpmnew'
maybe chown 'amavis' 'clamd.d/scan.conf.rpmsave'
maybe chgrp 'amavis' 'clamd.d/scan.conf.rpmsave'
maybe chmod 0644 'clamd.d/scan.conf.rpmsave'
maybe chmod 0755 'cloud'
maybe chmod 0644 'cloud/cloud.cfg.rpmsave'
maybe chmod 0755 'cockpit'
maybe chmod 0755 'cockpit/ws-certs.d'
maybe chmod 0644 'cockpit/ws-certs.d/0-self-signed-ca.pem'
@@ -592,49 +577,6 @@ maybe chgrp 'lp' 'cups/snmp.conf.default'
maybe chmod 0640 'cups/snmp.conf.default'
maybe chgrp 'lp' 'cups/ssl'
maybe chmod 0700 'cups/ssl'
maybe chmod 0611 'cxs'
maybe chmod 0600 'cxs/changelog.txt'
maybe chmod 0700 'cxs/cpanelsuspend.example.pl'
maybe chmod 0600 'cxs/csfajaxtail.js'
maybe chmod 0755 'cxs/cxs'
maybe chmod 0644 'cxs/cxs.data'
maybe chmod 0644 'cxs/cxs.default'
maybe chmod 0644 'cxs/cxs.defaults.example'
maybe chmod 0644 'cxs/cxs.fp'
maybe chmod 0644 'cxs/cxs.ignore'
maybe chmod 0644 'cxs/cxs.ignore.example'
maybe chmod 0644 'cxs/cxs.monitor.example'
maybe chmod 0755 'cxs/cxs.pl'
maybe chmod 0644 'cxs/cxs.pod'
maybe chmod 0600 'cxs/cxs.sec'
maybe chmod 0600 'cxs/cxs.sver'
maybe chmod 0644 'cxs/cxs.template.example'
maybe chmod 0644 'cxs/cxs.xtra'
maybe chmod 0644 'cxs/cxs.xtra.example'
maybe chmod 0755 'cxs/cxs/images'
maybe chmod 0644 'cxs/cxs/images/cxs_small.png'
maybe chmod 0644 'cxs/cxs/images/icon.gif'
maybe chmod 0644 'cxs/cxs/index.cgi'
maybe chmod 0644 'cxs/cxs/module.info'
maybe chmod 0755 'cxs/cxscgi.sh'
maybe chmod 0700 'cxs/cxschroot.sh'
maybe chmod 0600 'cxs/cxscron.txt'
maybe chmod 0700 'cxs/cxsdaily.sh'
maybe chmod 0700 'cxs/cxsftp.sh'
maybe chmod 0700 'cxs/cxsui.pl'
maybe chmod 0700 'cxs/cxswatch.sh'
maybe chmod 0644 'cxs/cxswebmin.tgz'
maybe chmod 0755 'cxs/htaccessdisable.example.pl'
maybe chmod 0600 'cxs/install.txt'
maybe chmod 0644 'cxs/license.txt'
maybe chmod 0644 'cxs/new.fp'
maybe chmod 0755 'cxs/newusers'
maybe chmod 0600 'cxs/reference.txt'
maybe chmod 0600 'cxs/servers'
maybe chmod 0644 'cxs/symlinkdisable.pl'
maybe chmod 0600 'cxs/test'
maybe chmod 0600 'cxs/test/testexploit.php'
maybe chmod 0700 'cxs/uninstall.sh'
maybe chmod 0755 'dbus-1'
maybe chmod 0644 'dbus-1/session.conf'
maybe chmod 0755 'dbus-1/session.d'
@@ -729,7 +671,6 @@ maybe chmod 0644 'dnf/protected.d/yum.conf'
maybe chmod 0755 'dnf/vars'
maybe chmod 0644 'dnf/vars/contentdir'
maybe chmod 0644 'dnf/vars/infra'
maybe chmod 0644 'dnf/vars/infra.rpmsave'
maybe chmod 0644 'dnf/vars/stream'
maybe chmod 0755 'docker'
maybe chmod 0640 'docker/daemon.json'
@@ -737,23 +678,16 @@ maybe chmod 0600 'docker/key.json'
maybe chmod 0755 'dovecot'
maybe chmod 0755 'dovecot/conf.d'
maybe chmod 0644 'dovecot/conf.d/10-auth.conf'
maybe chmod 0644 'dovecot/conf.d/10-auth.conf.rpmnew'
maybe chmod 0644 'dovecot/conf.d/10-director.conf'
maybe chmod 0644 'dovecot/conf.d/10-logging.conf'
maybe chmod 0644 'dovecot/conf.d/10-logging.conf.rpmnew'
maybe chmod 0644 'dovecot/conf.d/10-mail.conf'
maybe chmod 0644 'dovecot/conf.d/10-mail.conf.rpmnew'
maybe chmod 0644 'dovecot/conf.d/10-master.conf'
maybe chmod 0644 'dovecot/conf.d/10-metrics.conf'
maybe chmod 0644 'dovecot/conf.d/10-ssl.conf'
maybe chmod 0644 'dovecot/conf.d/10-ssl.conf.rpmnew'
maybe chmod 0644 'dovecot/conf.d/15-lda.conf'
maybe chmod 0644 'dovecot/conf.d/15-mailboxes.conf'
maybe chmod 0644 'dovecot/conf.d/15-mailboxes.conf.rpmnew'
maybe chmod 0644 'dovecot/conf.d/20-imap.conf'
maybe chmod 0644 'dovecot/conf.d/20-imap.conf.rpmnew'
maybe chmod 0644 'dovecot/conf.d/20-lmtp.conf'
maybe chmod 0644 'dovecot/conf.d/20-lmtp.conf.rpmnew'
maybe chmod 0644 'dovecot/conf.d/20-managesieve.conf'
maybe chmod 0644 'dovecot/conf.d/20-pop3.conf'
maybe chmod 0644 'dovecot/conf.d/20-submission.conf'
@@ -763,10 +697,8 @@ maybe chgrp 'dovecot' 'dovecot/conf.d/90-imapsieve.conf'
maybe chmod 0640 'dovecot/conf.d/90-imapsieve.conf'
maybe chmod 0644 'dovecot/conf.d/90-plugin.conf'
maybe chmod 0644 'dovecot/conf.d/90-quota.conf'
maybe chmod 0644 'dovecot/conf.d/90-quota.conf.rpmnew'
maybe chmod 0644 'dovecot/conf.d/90-sieve-extprograms.conf'
maybe chmod 0644 'dovecot/conf.d/90-sieve.conf'
maybe chmod 0644 'dovecot/conf.d/90-sieve.conf.rpmnew'
maybe chmod 0644 'dovecot/conf.d/auth-checkpassword.conf.ext'
maybe chmod 0644 'dovecot/conf.d/auth-deny.conf.ext'
maybe chmod 0644 'dovecot/conf.d/auth-dict.conf.ext'
@@ -789,7 +721,6 @@ maybe chown 'vmail' 'dovecot/dovecot-mysql.conf'
maybe chgrp 'dovecot' 'dovecot/dovecot-mysql.conf'
maybe chmod 0640 'dovecot/dovecot-mysql.conf'
maybe chmod 0644 'dovecot/dovecot.conf'
maybe chmod 0644 'dovecot/dovecot.conf.rpmnew'
maybe chown 'vmail' 'dovecot/quota-warning.sh'
maybe chgrp 'dovecot' 'dovecot/quota-warning.sh'
maybe chmod 0750 'dovecot/quota-warning.sh'
@@ -839,7 +770,6 @@ maybe chmod 0755 'etckeeper/commit.d/99push'
maybe chmod 0644 'etckeeper/commit.d/README'
maybe chmod 0755 'etckeeper/daily'
maybe chmod 0644 'etckeeper/etckeeper.conf'
maybe chmod 0644 'etckeeper/etckeeper.conf.rpmnew'
maybe chmod 0755 'etckeeper/init.d'
maybe chmod 0755 'etckeeper/init.d/10restore-metadata'
maybe chmod 0755 'etckeeper/init.d/20restore-etckeeper'
@@ -884,8 +814,6 @@ maybe chmod 0755 'fail2ban/action.d'
maybe chmod 0644 'fail2ban/action.d/abuseipdb.conf'
maybe chmod 0644 'fail2ban/action.d/apf.conf'
maybe chmod 0644 'fail2ban/action.d/apprise.conf'
maybe chmod 0644 'fail2ban/action.d/badips.py.rpmnew'
maybe chmod 0640 'fail2ban/action.d/badips.py.rpmsave'
maybe chmod 0644 'fail2ban/action.d/blocklist_de.conf'
maybe chmod 0644 'fail2ban/action.d/cloudflare-token.conf'
maybe chmod 0644 'fail2ban/action.d/cloudflare.conf'
@@ -900,12 +828,10 @@ maybe chmod 0644 'fail2ban/action.d/firewallcmd-rich-logging.conf'
maybe chmod 0644 'fail2ban/action.d/firewallcmd-rich-rules.conf'
maybe chmod 0644 'fail2ban/action.d/helpers-common.conf'
maybe chmod 0644 'fail2ban/action.d/iptables-allports.conf'
maybe chmod 0640 'fail2ban/action.d/iptables-common.conf.rpmsave'
maybe chmod 0644 'fail2ban/action.d/iptables-ipset-proto4.conf'
maybe chmod 0644 'fail2ban/action.d/iptables-ipset-proto6-allports.conf'
maybe chmod 0644 'fail2ban/action.d/iptables-ipset-proto6.conf'
maybe chmod 0640 'fail2ban/action.d/iptables-ipset.conf'
maybe chmod 0644 'fail2ban/action.d/iptables-ipset.conf.rpmnew'
maybe chmod 0644 'fail2ban/action.d/iptables-multiport-log.conf'
maybe chmod 0644 'fail2ban/action.d/iptables-multiport.conf'
maybe chmod 0644 'fail2ban/action.d/iptables-new.conf'
@@ -913,7 +839,6 @@ maybe chmod 0644 'fail2ban/action.d/iptables-xt_recent-echo.conf'
maybe chmod 0644 'fail2ban/action.d/iptables.conf'
maybe chmod 0644 'fail2ban/action.d/ipthreat.conf'
maybe chmod 0644 'fail2ban/action.d/mail-whois-common.conf'
maybe chmod 0644 'fail2ban/action.d/mail.conf.rpmsave'
maybe chmod 0644 'fail2ban/action.d/mynetwatchman.conf'
maybe chmod 0644 'fail2ban/action.d/netscaler.conf'
maybe chmod 0644 'fail2ban/action.d/nftables-allports.conf'
@@ -934,12 +859,9 @@ maybe chmod 0644 'fail2ban/action.d/sendmail-whois.conf'
maybe chmod 0644 'fail2ban/action.d/sendmail.conf'
maybe chmod 0644 'fail2ban/action.d/shorewall-ipset-proto6.conf'
maybe chmod 0644 'fail2ban/action.d/smtp.py'
maybe chmod 0644 'fail2ban/action.d/smtp.py.rpmnew'
maybe chmod 0640 'fail2ban/action.d/smtp.py.rpmsave'
maybe chmod 0644 'fail2ban/action.d/symbiosis-blacklist-allports.conf'
maybe chmod 0644 'fail2ban/action.d/xarf-login-attack.conf'
maybe chmod 0644 'fail2ban/fail2ban.conf'
maybe chmod 0640 'fail2ban/fail2ban.conf.rpmsave'
maybe chmod 0755 'fail2ban/fail2ban.d'
maybe chmod 0755 'fail2ban/filter.d'
maybe chmod 0644 'fail2ban/filter.d/3proxy.conf'
@@ -968,8 +890,6 @@ maybe chmod 0644 'fail2ban/filter.d/cyrus-imap.conf'
maybe chmod 0644 'fail2ban/filter.d/directadmin.conf'
maybe chmod 0644 'fail2ban/filter.d/domino-smtp.conf'
maybe chmod 0644 'fail2ban/filter.d/dovecot.conf'
maybe chmod 0644 'fail2ban/filter.d/dovecot.conf.rpmnew'
maybe chmod 0640 'fail2ban/filter.d/dovecot.conf.rpmsave'
maybe chmod 0644 'fail2ban/filter.d/dropbear.conf'
maybe chmod 0644 'fail2ban/filter.d/drupal-auth.conf'
maybe chmod 0644 'fail2ban/filter.d/ejabberd-auth.conf'
@@ -987,7 +907,6 @@ maybe chmod 0644 'fail2ban/filter.d/haproxy-http-auth.conf'
maybe chmod 0644 'fail2ban/filter.d/horde.conf'
maybe chmod 0755 'fail2ban/filter.d/ignorecommands'
maybe chmod 0755 'fail2ban/filter.d/ignorecommands/apache-fakegooglebot'
maybe chmod 0750 'fail2ban/filter.d/ignorecommands/apache-fakegooglebot.rpmsave'
maybe chmod 0644 'fail2ban/filter.d/kerio.conf'
maybe chmod 0644 'fail2ban/filter.d/lighttpd-auth.conf'
maybe chmod 0644 'fail2ban/filter.d/mongodb-auth.conf'
@@ -998,11 +917,8 @@ maybe chmod 0644 'fail2ban/filter.d/murmur.conf'
maybe chmod 0644 'fail2ban/filter.d/mysqld-auth.conf'
maybe chmod 0644 'fail2ban/filter.d/nagios.conf'
maybe chmod 0644 'fail2ban/filter.d/named-refused.conf'
maybe chmod 0644 'fail2ban/filter.d/named-refused.conf.rpmnew'
maybe chmod 0640 'fail2ban/filter.d/named-refused.conf.rpmsave'
maybe chmod 0644 'fail2ban/filter.d/nginx-bad-request.conf'
maybe chmod 0644 'fail2ban/filter.d/nginx-botsearch.conf'
maybe chmod 0640 'fail2ban/filter.d/nginx-botsearch.conf.rpmsave'
maybe chmod 0640 'fail2ban/filter.d/nginx-forbidden.conf'
maybe chmod 0644 'fail2ban/filter.d/nginx-http-auth.conf'
maybe chmod 0644 'fail2ban/filter.d/nginx-limit-req.conf'
@@ -1025,7 +941,6 @@ maybe chmod 0644 'fail2ban/filter.d/proftpd.conf'
maybe chmod 0644 'fail2ban/filter.d/pure-ftpd.conf'
maybe chmod 0644 'fail2ban/filter.d/qmail.conf'
maybe chmod 0644 'fail2ban/filter.d/recidive.conf'
maybe chmod 0640 'fail2ban/filter.d/recidive.conf.rpmsave'
maybe chmod 0644 'fail2ban/filter.d/roundcube-auth.conf'
maybe chmod 0644 'fail2ban/filter.d/scanlogd.conf'
maybe chmod 0644 'fail2ban/filter.d/screensharingd.conf'
@@ -1053,7 +968,6 @@ maybe chmod 0644 'fail2ban/filter.d/xinetd-fail.conf'
maybe chmod 0644 'fail2ban/filter.d/znc-adminlog.conf'
maybe chmod 0644 'fail2ban/filter.d/zoneminder.conf'
maybe chmod 0644 'fail2ban/jail.conf'
maybe chmod 0640 'fail2ban/jail.conf.rpmsave'
maybe chmod 0755 'fail2ban/jail.d'
maybe chmod 0644 'fail2ban/jail.d/00-firewalld.conf'
maybe chmod 0640 'fail2ban/jail.d/default.conf'
@@ -1083,10 +997,6 @@ maybe chmod 0644 'freeipmi/freeipmi_interpret_sensor.conf'
maybe chmod 0600 'freeipmi/ipmidetect.conf'
maybe chmod 0600 'freeipmi/libipmiconsole.conf'
maybe chmod 0600 'freshclam.conf'
maybe chmod 0600 'freshclam.conf.rpmnew'
maybe chown 'amavis' 'freshclam.conf.rpmsave'
maybe chgrp 'amavis' 'freshclam.conf.rpmsave'
maybe chmod 0600 'freshclam.conf.rpmsave'
maybe chmod 0644 'fstab'
maybe chmod 0644 'fuse.conf'
maybe chmod 0755 'gcrypt'
@@ -1143,18 +1053,15 @@ maybe chmod 0755 'httpd/conf.d'
maybe chmod 0644 'httpd/conf.d/README'
maybe chmod 0644 'httpd/conf.d/acme.conf'
maybe chmod 0644 'httpd/conf.d/autoindex.conf'
maybe chmod 0644 'httpd/conf.d/awstats.conf.rpmsave'
maybe chmod 0644 'httpd/conf.d/mailgraph.conf'
maybe chmod 0640 'httpd/conf.d/mod_deflate.conf'
maybe chmod 0644 'httpd/conf.d/perl.conf'
maybe chmod 0644 'httpd/conf.d/perl.conf.rpmnew'
maybe chmod 0644 'httpd/conf.d/php.conf'
maybe chmod 0644 'httpd/conf.d/phpmyadmin.conf'
maybe chmod 0644 'httpd/conf.d/squid.conf'
maybe chmod 0644 'httpd/conf.d/ssl.conf_disabled'
maybe chmod 0644 'httpd/conf.d/userdir.conf'
maybe chmod 0644 'httpd/conf.d/welcome.conf'
maybe chmod 0644 'httpd/conf.d/welcome.conf.rpmnew'
maybe chmod 0755 'httpd/conf.modules.d'
maybe chmod 0644 'httpd/conf.modules.d/00-base.conf'
maybe chmod 0644 'httpd/conf.modules.d/00-dav.conf'
@@ -1169,7 +1076,6 @@ maybe chmod 0644 'httpd/conf.modules.d/02-perl.conf'
maybe chmod 0644 'httpd/conf.modules.d/10-h2.conf'
maybe chmod 0644 'httpd/conf.modules.d/10-proxy_h2.conf'
maybe chmod 0644 'httpd/conf.modules.d/15-php.conf'
maybe chmod 0644 'httpd/conf.modules.d/15-php.conf.rpmnew'
maybe chmod 0644 'httpd/conf.modules.d/README'
maybe chmod 0644 'httpd/conf/httpd.conf'
maybe chmod 0644 'httpd/conf/magic'
@@ -1178,11 +1084,8 @@ maybe chmod 0755 'imunify360'
maybe chmod 0755 'imunify360-webshield'
maybe chmod 0755 'imunify360-webshield/captcha'
maybe chmod 0644 'imunify360-webshield/captcha/lang.conf'
maybe chmod 0660 'imunify360-webshield/common-proxies.conf.rpmsave'
maybe chmod 0660 'imunify360-webshield/country_ips.conf.rpmsave'
maybe chmod 0644 'imunify360-webshield/ports.conf'
maybe chmod 0755 'imunify360-webshield/splashscreen'
maybe chmod 0644 'imunify360-webshield/splashscreen-antibot.conf.rpmsave'
maybe chmod 0644 'imunify360-webshield/splashscreen/lang.conf'
maybe chmod 0755 'imunify360-webshield/ssl_certs'
maybe chmod 0644 'imunify360-webshield/ssl_ports.conf'
@@ -1297,9 +1200,6 @@ maybe chmod 0644 'iproute2/rt_tables'
maybe chmod 0640 'issue'
maybe chmod 0755 'issue.d'
maybe chmod 0640 'issue.net'
maybe chmod 0644 'issue.net.rpmsave'
maybe chmod 0644 'issue.rpmnew'
maybe chmod 0644 'issue.rpmsave'
maybe chmod 0755 'java'
maybe chmod 0755 'java/java-1.8.0-openjdk'
maybe chmod 0755 'java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.372.b07-4.el8.x86_64'
@@ -3426,7 +3326,6 @@ maybe chmod 0644 'logrotate.d/clamav-unofficial-sigs'
maybe chmod 0644 'logrotate.d/cups'
maybe chmod 0644 'logrotate.d/dnf'
maybe chmod 0644 'logrotate.d/fail2ban'
maybe chmod 0640 'logrotate.d/fail2ban.rpmsave'
maybe chmod 0644 'logrotate.d/firewalld'
maybe chmod 0644 'logrotate.d/httpd'
maybe chmod 0644 'logrotate.d/iptraf-ng'
@@ -3514,7 +3413,6 @@ maybe chmod 0644 'mail/spamassassin/channel.d/spamassassin-official.conf'
maybe chmod 0644 'mail/spamassassin/dnswlh.cf.disabled'
maybe chmod 0644 'mail/spamassassin/iXhash.pm'
maybe chmod 0644 'mail/spamassassin/init.pre'
maybe chmod 0644 'mail/spamassassin/init.pre.rpmnew'
maybe chmod 0644 'mail/spamassassin/learn_spam.sh'
maybe chmod 0755 'mail/spamassassin/lib'
maybe chmod 0755 'mail/spamassassin/lib/python'
@@ -4348,7 +4246,6 @@ maybe chmod 0644 'my.cnf.d/server.cnf'
maybe chmod 0644 'my.cnf.d/spider.cnf'
maybe chmod 0775 'nagios'
maybe chmod 0644 'nagios/nrpe.cfg'
maybe chmod 0644 'nagios/nrpe.cfg.rpmnew'
maybe chgrp 'named' 'named'
maybe chmod 0750 'named'
maybe chgrp 'named' 'named.conf'
@@ -4414,9 +4311,6 @@ maybe chmod 0640 'nginx/conf.d/club3d.ro.conf'
maybe chown 'nginx' 'nginx/conf.d/default.conf'
maybe chgrp 'nginx' 'nginx/conf.d/default.conf'
maybe chmod 0640 'nginx/conf.d/default.conf'
maybe chown 'nginx' 'nginx/conf.d/default.conf.rpmnew'
maybe chgrp 'nginx' 'nginx/conf.d/default.conf.rpmnew'
maybe chmod 0640 'nginx/conf.d/default.conf.rpmnew'
maybe chown 'nginx' 'nginx/conf.d/files.898.ro.conf'
maybe chgrp 'nginx' 'nginx/conf.d/files.898.ro.conf'
maybe chmod 0640 'nginx/conf.d/files.898.ro.conf'
@@ -5340,7 +5234,6 @@ maybe chmod 0640 'postfix/_sql/mysql_virtual_mailbox_maps.cf'
maybe chmod 0644 'postfix/access'
maybe chgrp 'postfix' 'postfix/access.db'
maybe chmod 0640 'postfix/access.db'
maybe chmod 0644 'postfix/access.rpmnew'
maybe chgrp 'postfix' 'postfix/blacklist'
maybe chmod 0640 'postfix/blacklist'
maybe chgrp 'postfix' 'postfix/blacklist.db'
@@ -5351,7 +5244,6 @@ maybe chgrp 'postfix' 'postfix/body_checks.db'
maybe chmod 0640 'postfix/body_checks.db'
maybe chmod 0640 'postfix/ca-certificates-2019.2.32-76.el7_7.noarch.rpm'
maybe chmod 0644 'postfix/canonical'
maybe chmod 0644 'postfix/canonical.rpmnew'
maybe chgrp 'postfix' 'postfix/check_client_access'
maybe chmod 0640 'postfix/check_client_access'
maybe chgrp 'postfix' 'postfix/check_client_access.db'
@@ -5383,11 +5275,9 @@ maybe chgrp 'postfix' 'postfix/helo_access.pcre.db'
maybe chmod 0640 'postfix/helo_access.pcre.db'
maybe chmod 0644 'postfix/main.cf'
maybe chmod 0644 'postfix/main.cf.proto'
maybe chmod 0644 'postfix/main.cf.rpmnew'
maybe chmod 0644 'postfix/master.cf'
maybe chmod 0644 'postfix/master.cf.bkp'
maybe chmod 0644 'postfix/master.cf.proto'
maybe chmod 0644 'postfix/master.cf.rpmnew'
maybe chgrp 'postfix' 'postfix/mime_header_checks'
maybe chmod 0640 'postfix/mime_header_checks'
maybe chgrp 'postfix' 'postfix/mynetworks'
@@ -5471,11 +5361,9 @@ maybe chmod 0640 'postfix/submission_header_cleanup'
maybe chmod 0644 'postfix/transport'
maybe chgrp 'postfix' 'postfix/transport.db'
maybe chmod 0640 'postfix/transport.db'
maybe chmod 0644 'postfix/transport.rpmnew'
maybe chmod 0644 'postfix/virtual'
maybe chgrp 'postfix' 'postfix/virtual.db'
maybe chmod 0640 'postfix/virtual.db'
maybe chmod 0644 'postfix/virtual.rpmnew'
maybe chgrp 'postfix' 'postfix/virtual_regexp'
maybe chmod 0640 'postfix/virtual_regexp'
maybe chmod 0755 'ppp'
@@ -5493,7 +5381,6 @@ maybe chmod 0755 'ppp/ipv6-down'
maybe chmod 0755 'ppp/ipv6-up'
maybe chmod 0644 'ppp/options'
maybe chmod 0644 'ppp/options.pptp'
maybe chmod 0644 'ppp/options.pptp.rpmnew'
maybe chmod 0644 'ppp/options.pptpd'
maybe chmod 0600 'ppp/pap-secrets'
maybe chmod 0755 'ppp/peers'
@@ -5799,7 +5686,6 @@ maybe chmod 0644 'rwtab.d/logrotate'
maybe chmod 0644 'rwtab.d/named'
maybe chmod 0644 'rwtab.d/sssd'
maybe chmod 0755 'samba'
maybe chmod 0644 'samba/smb.conf.rpmsave'
maybe chmod 0755 'sasl2'
maybe chmod 0644 'sasl2/smtpd.conf'
maybe chmod 0755 'scl'
@@ -5986,7 +5872,6 @@ maybe chmod 0640 'ssh/ssh_host_rsa_key'
maybe chmod 0644 'ssh/ssh_host_rsa_key.pub'
maybe chmod 0600 'ssh/sshd_config'
maybe chmod 0600 'ssh/sshd_config.orig'
maybe chmod 0600 'ssh/sshd_config.rpmnew'
maybe chmod 0755 'ssh/sshrc'
maybe chmod 0755 'ssl'
maybe chmod 0644 'sslh.cfg'
@@ -6031,14 +5916,12 @@ maybe chmod 0660 'sysconfig/imunify360/.imunify360.backup_config'
maybe chmod 0755 'sysconfig/imunify360/generic'
maybe chmod 0660 'sysconfig/imunify360/generic/modsec.conf'
maybe chmod 0700 'sysconfig/imunify360/imunify360.config.d'
maybe chmod 0600 'sysconfig/imunify360/imunify360.config.rpmsave'
maybe chmod 0640 'sysconfig/imunify360/integration.conf'
maybe chmod 0755 'sysconfig/imunify360/malware-filters-admin-conf'
maybe chmod 0660 'sysconfig/imunify360/panel-name.txt'
maybe chmod 0600 'sysconfig/ip6tables-config'
maybe chmod 0600 'sysconfig/iptables-config'
maybe chmod 0644 'sysconfig/iptables.old-2020-10-20-17_37_02'
maybe chmod 0600 'sysconfig/iptables.rpmsave'
maybe chmod 0644 'sysconfig/irqbalance'
maybe chmod 0644 'sysconfig/kernel'
maybe chmod 0644 'sysconfig/maldet'
@@ -6117,7 +6000,6 @@ maybe chmod 0755 'systemd'
maybe chmod 0644 'systemd/coredump.conf'
maybe chmod 0644 'systemd/journald.conf'
maybe chmod 0644 'systemd/logind.conf'
maybe chmod 0644 'systemd/logind.conf.rpmnew'
maybe chmod 0644 'systemd/pstore.conf'
maybe chmod 0644 'systemd/resolved.conf'
maybe chmod 0755 'systemd/system'
@@ -6256,7 +6138,6 @@ maybe chmod 0755 'xml'
maybe chmod 0644 'xml/catalog'
maybe chmod 0755 'yum'
maybe chmod 0755 'yum.repos.d'
maybe chmod 0640 'yum.repos.d/CentOS-Linux-PowerTools.repo.rpmsave'
maybe chmod 0644 'yum.repos.d/_copr:copr.fedorainfracloud.org:jdoss:wireguard.repo'
maybe chmod 0644 'yum.repos.d/almalinux-ha.repo'
maybe chmod 0644 'yum.repos.d/almalinux-nfv.repo'

828
amavisd/amavisd.conf.rpmnew
View File

@@ -1,828 +0,0 @@
use strict;
# a minimalistic configuration file for amavisd-new with all necessary settings
#
# see amavisd.conf-default for a list of all variables with their defaults;
# for more details see documentation in INSTALL, README_FILES/*
# and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html
# COMMONLY ADJUSTED SETTINGS:
# @bypass_virus_checks_maps = (1); # controls running of anti-virus code
# @bypass_spam_checks_maps = (1); # controls running of anti-spam code
# $bypass_decode_parts = 1; # controls running of decoders&dearchivers
# $myprogram_name = $0; # set to 'amavisd' or similar to avoid process name
# truncation in /proc/<pid>/stat and ps -e output
$max_servers = 2; # num of pre-forked children (2..30 is common), -m
$daemon_user = 'amavis'; # (no default; customary: vscan or amavis), -u
$daemon_group = 'amavis'; # (no default; customary: vscan or amavis), -g
$mydomain = 'example.com'; # a convenient default for other settings
$MYHOME = '/var/spool/amavisd'; # a convenient default for other settings, -H
$TEMPBASE = "$MYHOME/tmp"; # working directory, needs to exist, -T
$ENV{TMPDIR} = $TEMPBASE; # environment variable TMPDIR, used by SA, etc.
$QUARANTINEDIR = undef; # -Q
# $quarantine_subdir_levels = 1; # add level of subdirs to disperse quarantine
# $release_format = 'resend'; # 'attach', 'plain', 'resend'
# $report_format = 'arf'; # 'attach', 'plain', 'resend', 'arf'
# $daemon_chroot_dir = $MYHOME; # chroot directory or undef, -R
$db_home = "$MYHOME/db"; # dir for bdb nanny/cache/snmp databases, -D
# $helpers_home = "$MYHOME/var"; # working directory for SpamAssassin, -S
$lock_file = "/run/amavisd/amavisd.lock"; # -L
$pid_file = "/run/amavisd/amavisd.pid"; # -P
#NOTE: create directories $MYHOME/tmp, $MYHOME/var, $MYHOME/db manually
$log_level = 0; # verbosity 0..5, -d
$log_recip_templ = undef; # disable by-recipient level-0 log entries
$do_syslog = 1; # log via syslogd (preferred)
$syslog_facility = 'mail'; # Syslog facility as a string
# e.g.: mail, daemon, user, local0, ... local7
$enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny)
# $enable_zmq = 1; # enable use of ZeroMQ (SNMP and nanny)
$nanny_details_level = 2; # nanny verbosity: 1: traditional, 2: detailed
$enable_dkim_verification = 1; # enable DKIM signatures verification
$enable_dkim_signing = 1; # load DKIM signing code, keys defined by dkim_key
@local_domains_maps = ( [".$mydomain"] ); # list of all local domains
@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10
10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 );
$unix_socketname = "/run/amavisd/amavisd.sock"; # amavisd-release or amavis-milter
# option(s) -p overrides $inet_socket_port and $unix_socketname
# The default receiving port in the Fedora and RHEL SELinux policy is 10024.
# To allow additional ports you need to label them as 'amavisd_recv_port_t'
# For example: semanage port -a -t amavisd_recv_port_t -p tcp 10022
$inet_socket_port = 10024; # listen on this local TCP port(s)
# $inet_socket_port = [10022,10024]; # listen on multiple TCP ports
$policy_bank{'MYNETS'} = { # mail originating from @mynetworks
originating => 1, # is true in MYNETS by default, but let's make it explicit
os_fingerprint_method => undef, # don't query p0f for internal clients
};
# it is up to MTA to re-route mail from authenticated roaming users or
# from internal hosts to a dedicated TCP port (such as 10022) for filtering
$interface_policy{'10022'} = 'ORIGINATING';
$policy_bank{'ORIGINATING'} = { # mail supposedly originating from our users
originating => 1, # declare that mail was submitted by our smtp client
allow_disclaimers => 1, # enables disclaimer insertion if available
# notify administrator of locally originating malware
virus_admin_maps => ["virusalert\@$mydomain"],
spam_admin_maps => ["virusalert\@$mydomain"],
warnbadhsender => 1,
# forward to a smtpd service providing DKIM signing service
forward_method => 'smtp:[127.0.0.1]:10025',
# force MTA conversion to 7-bit (e.g. before DKIM signing)
smtpd_discard_ehlo_keywords => ['8BITMIME'],
bypass_banned_checks_maps => [1], # allow sending any file names and types
terminate_dsn_on_notify_success => 0, # don't remove NOTIFY=SUCCESS option
};
$interface_policy{'SOCK'} = 'AM.PDP-SOCK'; # only applies with $unix_socketname
# Use with amavis-release over a socket or with Petr Rehor's amavis-milter.c
# (with amavis-milter.c from this package or old amavis.c client use 'AM.CL'):
$policy_bank{'AM.PDP-SOCK'} = {
protocol => 'AM.PDP',
auth_required_release => 0, # do not require secret_id for amavisd-release
};
$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 6.2; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 6.9; # triggers spam evasive actions (e.g. blocks mail)
$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is suppressed
$sa_crediblefrom_dsn_cutoff_level = 18; # likewise, but for a likely valid From
# $sa_quarantine_cutoff_level = 25; # spam level beyond which quarantine is off
$penpals_bonus_score = 8; # (no effect without a @storage_sql_dsn database)
$penpals_threshold_high = $sa_kill_level_deflt; # don't waste time on hi spam
$bounce_killer_score = 100; # spam score points to add for joe-jobbed bounces
$sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail is larger
$sa_local_tests_only = 0; # only tests which do not require internet access?
# @lookup_sql_dsn =
# ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'],
# ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'],
# ["DBI:SQLite:dbname=$MYHOME/sql/mail_prefs.sqlite", '', ''] );
# @storage_sql_dsn = @lookup_sql_dsn; # none, same, or separate database
# @storage_redis_dsn = ( {server=>'127.0.0.1:6379', db_id=>1} );
# $redis_logging_key = 'amavis-log';
# $redis_logging_queue_size_limit = 300000; # about 250 MB / 100000
# $timestamp_fmt_mysql = 1; # if using MySQL *and* msgs.time_iso is TIMESTAMP;
# defaults to 0, which is good for non-MySQL or if msgs.time_iso is CHAR(16)
$virus_admin = undef; # notifications recip.
$mailfrom_notify_admin = undef; # notifications sender
$mailfrom_notify_recip = undef; # notifications sender
$mailfrom_notify_spamadmin = undef; # notifications sender
$mailfrom_to_quarantine = ''; # null return path; uses original sender if undef
@addr_extension_virus_maps = ('virus');
@addr_extension_banned_maps = ('banned');
@addr_extension_spam_maps = ('spam');
@addr_extension_bad_header_maps = ('badh');
# $recipient_delimiter = '+'; # undef disables address extensions altogether
# when enabling addr extensions do also Postfix/main.cf: recipient_delimiter=+
$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
# $dspam = 'dspam';
$MAXLEVELS = 14;
$MAXFILES = 3000;
$MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced)
$MAX_EXPANSION_QUOTA = 500*1024*1024; # bytes (default undef, not enforced)
$sa_spam_subject_tag = '***Spam*** ';
$defang_virus = 1; # MIME-wrap passed infected mail
$defang_banned = 1; # MIME-wrap passed mail containing banned name
# for defanging bad headers only turn on certain minor contents categories:
$defang_by_ccat{CC_BADH.",3"} = 1; # NUL or CR character in header
$defang_by_ccat{CC_BADH.",5"} = 1; # header line longer than 998 characters
$defang_by_ccat{CC_BADH.",6"} = 1; # header field syntax error
# OTHER MORE COMMON SETTINGS (defaults may suffice):
# $myhostname = 'host.example.com'; # must be a fully-qualified domain name!
# The default forwarding port in the Fedora and RHEL SELinux policy is 10025.
# To allow additional ports you need to label them as 'amavisd_send_port_t'.
# For example: semanage port -a -t amavisd_send_port_t -p tcp 10023
# $notify_method = 'smtp:[127.0.0.1]:10023';
# $forward_method = 'smtp:[127.0.0.1]:10023'; # set to undef with milter!
$final_virus_destiny = D_DISCARD;
$final_banned_destiny = D_BOUNCE;
$final_spam_destiny = D_DISCARD; #!!! D_DISCARD / D_REJECT
$final_bad_header_destiny = D_BOUNCE;
# $bad_header_quarantine_method = undef;
# $os_fingerprint_method = 'p0f:*:2345'; # to query p0f-analyzer.pl
## hierarchy by which a final setting is chosen:
## policy bank (based on port or IP address) -> *_by_ccat
## *_by_ccat (based on mail contents) -> *_maps
## *_maps (based on recipient address) -> final configuration value
# SOME OTHER VARIABLES WORTH CONSIDERING (see amavisd.conf-default for all)
# $warnbadhsender,
# $warnvirusrecip, $warnbannedrecip, $warnbadhrecip, (or @warn*recip_maps)
#
# @bypass_virus_checks_maps, @bypass_spam_checks_maps,
# @bypass_banned_checks_maps, @bypass_header_checks_maps,
#
# @virus_lovers_maps, @spam_lovers_maps,
# @banned_files_lovers_maps, @bad_header_lovers_maps,
#
# @blacklist_sender_maps, @score_sender_maps,
#
# $clean_quarantine_method, $virus_quarantine_to, $banned_quarantine_to,
# $bad_header_quarantine_to, $spam_quarantine_to,
#
# $defang_bad_header, $defang_undecipherable, $defang_spam
# REMAINING IMPORTANT VARIABLES ARE LISTED HERE BECAUSE OF LONGER ASSIGNMENTS
@keep_decoded_original_maps = (new_RE(
qr'^MAIL$', # let virus scanner see full original message
qr'^MAIL-UNDECIPHERABLE$', # same as ^MAIL$ if mail is undecipherable
qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
# qr'^Zip archive data', # don't trust Archive::Zip
));
$banned_filename_re = new_RE(
### BLOCKED ANYWHERE
# qr'^UNDECIPHERABLE$', # is or contains any undecipherable components
qr'^\.(exe-ms|dll)$', # banned file(1) types, rudimentary
# qr'^\.(exe|lha|cab|dll)$', # banned file(1) types
### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES:
# [ qr'^\.(gz|bz2)$' => 0 ], # allow any in gzip or bzip2
[ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives
qr'.\.(pif|scr)$'i, # banned extensions - rudimentary
# qr'^\.zip$', # block zip type
### BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES:
# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within these archives
qr'^application/x-msdownload$'i, # block these MIME types
qr'^application/x-msdos-program$'i,
qr'^application/hta$'i,
# qr'^message/partial$'i, # rfc2046 MIME type
# qr'^message/external-body$'i, # rfc2046 MIME type
# qr'^(application/x-msmetafile|image/x-wmf)$'i, # Windows Metafile MIME type
# qr'^\.wmf$', # Windows Metafile file(1) type
# block certain double extensions in filenames
qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,
# qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Class ID CLSID, strict
# qr'\{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}?'i, # Class ID extension CLSID, loose
qr'.\.(exe|vbs|pif|scr|cpl)$'i, # banned extension - basic
# qr'.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i, # banned extension - basic+cmd
# qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
# inf|ini|ins|isp|js|jse|lib|lnk|mda|mdb|mde|mdt|mdw|mdz|msc|msi|
# msp|mst|ocx|ops|pcd|pif|prg|reg|scr|sct|shb|shs|sys|vb|vbe|vbs|vxd|
# wmf|wsc|wsf|wsh)$'ix, # banned extensions - long
# qr'.\.(asd|asf|asx|url|vcs|wmd|wmz)$'i, # consider also
# qr'.\.(ani|cur|ico)$'i, # banned cursors and icons filename
# qr'^\.ani$', # banned animated cursor file(1) type
# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab.
);
# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
# and http://www.cknow.com/vtutor/vtextensions.htm
# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING
@score_sender_maps = ({ # a by-recipient hash lookup table,
# results from all matching recipient tables are summed
# ## per-recipient personal tables (NOTE: positive: black, negative: white)
# 'user1@example.com' => [{'bla-mobile.press@example.com' => 10.0}],
# 'user3@example.com' => [{'.ebay.com' => -3.0}],
# 'user4@example.com' => [{'cleargreen@cleargreen.com' => -7.0,
# '.cleargreen.com' => -5.0}],
## site-wide opinions about senders (the '.' matches any recipient)
'.' => [ # the _first_ matching sender determines the score boost
new_RE( # regexp-type lookup table, just happens to be all soft-blacklist
[qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0],
[qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],
[qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],
[qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0],
[qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0],
[qr'^(your_friend|greatoffers)@'i => 5.0],
[qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0],
),
# read_hash("/var/amavis/sender_scores_sitewide"),
{ # a hash-type lookup table (associative array)
'nobody@cert.org' => -3.0,
'cert-advisory@us-cert.gov' => -3.0,
'owner-alert@iss.net' => -3.0,
'slashdot@slashdot.org' => -3.0,
'securityfocus.com' => -3.0,
'ntbugtraq@listserv.ntbugtraq.com' => -3.0,
'security-alerts@linuxsecurity.com' => -3.0,
'mailman-announce-admin@python.org' => -3.0,
'amavis-user-admin@lists.sourceforge.net'=> -3.0,
'amavis-user-bounces@lists.sourceforge.net' => -3.0,
'spamassassin.apache.org' => -3.0,
'notification-return@lists.sophos.com' => -3.0,
'owner-postfix-users@postfix.org' => -3.0,
'owner-postfix-announce@postfix.org' => -3.0,
'owner-sendmail-announce@lists.sendmail.org' => -3.0,
'sendmail-announce-request@lists.sendmail.org' => -3.0,
'donotreply@sendmail.org' => -3.0,
'ca+envelope@sendmail.org' => -3.0,
'noreply@freshmeat.net' => -3.0,
'owner-technews@postel.acm.org' => -3.0,
'ietf-123-owner@loki.ietf.org' => -3.0,
'cvs-commits-list-admin@gnome.org' => -3.0,
'rt-users-admin@lists.fsck.com' => -3.0,
'clp-request@comp.nus.edu.sg' => -3.0,
'surveys-errors@lists.nua.ie' => -3.0,
'emailnews@genomeweb.com' => -5.0,
'yahoo-dev-null@yahoo-inc.com' => -3.0,
'returns.groups.yahoo.com' => -3.0,
'clusternews@linuxnetworx.com' => -3.0,
lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0,
lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0,
# soft-blacklisting (positive score)
'sender@example.net' => 3.0,
'.example.net' => 1.0,
},
], # end of site-wide tables
});
@decoders = (
['mail', \&do_mime_decode],
# [[qw(asc uue hqx ync)], \&do_ascii], # not safe
['F', \&do_uncompress, ['unfreeze', 'freeze -d', 'melt', 'fcat'] ],
['Z', \&do_uncompress, ['uncompress', 'gzip -d', 'zcat'] ],
['gz', \&do_uncompress, 'gzip -d'],
['gz', \&do_gunzip],
['bz2', \&do_uncompress, 'bzip2 -d'],
['xz', \&do_uncompress,
['xzdec', 'xz -dc', 'unxz -c', 'xzcat'] ],
['lzma', \&do_uncompress,
['lzmadec', 'xz -dc --format=lzma',
'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ],
# ['lrz', \&do_uncompress,
# ['lrzip -q -k -d -o -', 'lrzcat -q -k'] ],
['lzo', \&do_uncompress, 'lzop -d'],
['lz4', \&do_uncompress, ['lz4c -d'] ],
['rpm', \&do_uncompress, ['rpm2cpio.pl', 'rpm2cpio'] ],
[['cpio','tar'], \&do_pax_cpio, ['pax', 'gcpio', 'cpio'] ],
# ['/usr/local/heirloom/usr/5bin/pax', 'pax', 'gcpio', 'cpio']
['deb', \&do_ar, 'ar'],
# ['a', \&do_ar, 'ar'], # unpacking .a seems an overkill
['rar', \&do_unrar, ['unrar', 'rar'] ],
['arj', \&do_unarj, ['unarj', 'arj'] ],
['arc', \&do_arc, ['nomarch', 'arc'] ],
['zoo', \&do_zoo, ['zoo', 'unzoo'] ],
# ['doc', \&do_ole, 'ripole'], # no ripole package so far
['cab', \&do_cabextract, 'cabextract'],
# ['tnef', \&do_tnef_ext, 'tnef'], # use internal do_tnef() instead
['tnef', \&do_tnef],
# ['lha', \&do_lha, 'lha'], # not safe, use 7z instead
# ['sit', \&do_unstuff, 'unstuff'], # not safe
[['zip','kmz'], \&do_7zip, ['7za', '7z'] ],
[['zip','kmz'], \&do_unzip],
['7z', \&do_7zip, ['7zr', '7za', '7z'] ],
[[qw(gz bz2 Z tar)],
\&do_7zip, ['7za', '7z'] ],
[[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)],
\&do_7zip, '7z' ],
['exe', \&do_executable, ['unrar','rar'], 'lha', ['unarj','arj'] ],
);
@av_scanners = (
# ### http://www.sophos.com/
# ['Sophos-SSSP', # SAV Dynamic Interface
# \&ask_daemon, ["{}", 'sssp:/run/savdi/sssp.sock'],
# # or: ["{}", 'sssp:[127.0.0.1]:4010'],
# qr/^DONE OK\b/m, qr/^VIRUS\b/m, qr/^VIRUS\s*(\S*)/m ],
# ### http://www.clanfield.info/sophie/ (http://www.vanja.com/tools/sophie/)
# ['Sophie',
# \&ask_daemon, ["{}/\n", 'sophie:/run/sophie'],
# qr/(?x)^ 0+ ( : | [\000\r\n]* $)/, qr/(?x)^ 1 ( : | [\000\r\n]* $)/,
# qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ],
# ### http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/
# ['Sophos SAVI', \&ask_daemon, ['{}','savi-perl:'] ],
# ['Avira SAVAPI',
# \&ask_daemon, ["*", 'savapi:/var/tmp/.savapi3', 'product-id'],
# qr/^(200|210)/m, qr/^(310|420|319)/m,
# qr/^(?:310|420)[,\s]*(?:.* <<< )?(.+?)(?: ; |$)/m ],
# settings for the SAVAPI3.conf: ArchiveScan=1, HeurLevel=2, MailboxScan=1
### http://www.clamav.net/
['ClamAV-clamd',
\&ask_daemon, ["CONTSCAN {}\n", "/run/clamd.amavisd/clamd.sock"],
qr/\bOK$/m, qr/\bFOUND$/m,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
# NOTE: run clamd under the same user as amavisd - or run it under its own
# uid such as clamav, add user clamav to the amavis group, and then add
# AllowSupplementaryGroups to clamd.conf;
# NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
# this entry; when running chrooted one may prefer a socket under $MYHOME.
# ### http://www.clamav.net/ and CPAN (memory-hungry! clamd is preferred)
# # note that Mail::ClamAV requires perl to be build with threading!
# ['Mail::ClamAV', \&ask_daemon, ['{}','clamav-perl:'],
# [0], [1], qr/^INFECTED: (.+)/m],
# ### http://www.openantivirus.org/
# ['OpenAntiVirus ScannerDaemon (OAV)',
# \&ask_daemon, ["SCAN {}\n", '127.0.0.1:8127'],
# qr/^OK/m, qr/^FOUND: /m, qr/^FOUND: (.+)/m ],
# ### http://www.vanja.com/tools/trophie/
# ['Trophie',
# \&ask_daemon, ["{}/\n", 'trophie:/run/trophie'],
# qr/(?x)^ 0+ ( : | [\000\r\n]* $)/m, qr/(?x)^ 1 ( : | [\000\r\n]* $)/m,
# qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ],
# ### http://www.grisoft.com/
# ['AVG Anti-Virus',
# \&ask_daemon, ["SCAN {}\n", '127.0.0.1:55555'],
# qr/^200/m, qr/^403/m, qr/^403[- ].*: ([^\r\n]+)/m ],
# ### http://www.f-prot.com/
# ['F-Prot fpscand', # F-PROT Antivirus for BSD/Linux/Solaris, version 6
# \&ask_daemon,
# ["SCAN FILE {}/*\n", '127.0.0.1:10200'],
# qr/^(0|8|64) /m,
# qr/^([1235679]|1[01345]) |<[^>:]*(?i)(infected|suspicious|unwanted)/m,
# qr/(?i)<[^>:]*(?:infected|suspicious|unwanted)[^>:]*: ([^>]*)>/m ],
# ### http://www.f-prot.com/
# ['F-Prot f-protd', # old version
# \&ask_daemon,
# ["GET {}/*?-dumb%20-archive%20-packed HTTP/1.0\r\n\r\n",
# ['127.0.0.1:10200', '127.0.0.1:10201', '127.0.0.1:10202',
# '127.0.0.1:10203', '127.0.0.1:10204'] ],
# qr/(?i)<summary[^>]*>clean<\/summary>/m,
# qr/(?i)<summary[^>]*>infected<\/summary>/m,
# qr/(?i)<name>(.+)<\/name>/m ],
# ### http://www.sald.com/, http://www.dials.ru/english/, http://www.drweb.ru/
# ['DrWebD', \&ask_daemon, # DrWebD 4.31 or later
# [pack('N',1). # DRWEBD_SCAN_CMD
# pack('N',0x00280001). # DONT_CHANGEMAIL, IS_MAIL, RETURN_VIRUSES
# pack('N', # path length
# length("$TEMPBASE/amavis-yyyymmddTHHMMSS-xxxxx/parts/pxxx")).
# '{}/*'. # path
# pack('N',0). # content size
# pack('N',0),
# '/var/drweb/run/drwebd.sock',
# # '/var/amavis/run/drwebd.sock', # suitable for chroot
# # '/usr/local/drweb/run/drwebd.sock', # FreeBSD drweb ports default
# # '127.0.0.1:3000', # or over an inet socket
# ],
# qr/\A\x00[\x10\x11][\x00\x10]\x00/sm, # IS_CLEAN,EVAL_KEY; SKIPPED
# qr/\A\x00[\x00\x01][\x00\x10][\x20\x40\x80]/sm,# KNOWN_V,UNKNOWN_V,V._MODIF
# qr/\A.{12}(?:infected with )?([^\x00]+)\x00/sm,
# ],
# # NOTE: If using amavis-milter, change length to:
# # length("$TEMPBASE/amavis-milter-xxxxxxxxxxxxxx/parts/pxxx").
### http://www.kaspersky.com/ (kav4mailservers)
['KasperskyLab AVP - aveclient',
['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient',
'/opt/kav/5.5/kav4mailservers/bin/aveclient','aveclient'],
'-p /run/aveserver -s {}/*',
[0,3,6,8], qr/\b(INFECTED|SUSPICION|SUSPICIOUS)\b/m,
qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.+)/m,
],
# NOTE: one may prefer [0],[2,3,4,5], depending on how suspicious,
# currupted or protected archives are to be handled
### http://www.kaspersky.com/
['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'],
'-* -P -B -Y -O- {}', [0,3,6,8], [2,4], # any use for -A -K ?
qr/infected: (.+)/m,
sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"},
sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
],
### The kavdaemon and AVPDaemonClient have been removed from Kasperky
### products and replaced by aveserver and aveclient
['KasperskyLab AVPDaemonClient',
[ '/opt/AVP/kavdaemon', 'kavdaemon',
'/opt/AVP/AvpDaemonClient', 'AvpDaemonClient',
'/opt/AVP/AvpTeamDream', 'AvpTeamDream',
'/opt/AVP/avpdc', 'avpdc' ],
"-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/m ],
# change the startup-script in /etc/init.d/kavd to:
# DPARMS="-* -Y -dl -f=/var/amavis /var/amavis"
# (or perhaps: DPARMS="-I0 -Y -* /var/amavis" )
# adjusting /var/amavis above to match your $TEMPBASE.
# The '-f=/var/amavis' is needed if not running it as root, so it
# can find, read, and write its pid file, etc., see 'man kavdaemon'.
# defUnix.prf: there must be an entry "*/var/amavis" (or whatever
# directory $TEMPBASE specifies) in the 'Names=' section.
# cd /opt/AVP/DaemonClients; configure; cd Sample; make
# cp AvpDaemonClient /opt/AVP/
# su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}"
### http://www.centralcommand.com/
['CentralCommand Vexira (new) vascan',
['vascan','/usr/lib/Vexira/vascan'],
"-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ".
"--log=/var/log/vascan.log {}",
[0,3], [1,2,5],
qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ /m ],
# Adjust the path of the binary and the virus database as needed.
# 'vascan' does not allow to have the temp directory to be the same as
# the quarantine directory, and the quarantine option can not be disabled.
# If $QUARANTINEDIR is not used, then another directory must be specified
# to appease 'vascan'. Move status 3 to the second list if password
# protected files are to be considered infected.
### http://www.avira.com/
### old Avira AntiVir 2.x (ex H+BEDV) or old CentralCommand Vexira Antivirus
['Avira AntiVir', ['antivir','vexira'],
'--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/m,
qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) |
(?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/m ],
# NOTE: if you only have a demo version, remove -z and add 214, as in:
# '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/,
### http://www.avira.com/
### Avira for UNIX 3.x
['Avira AntiVir', ['avscan'],
'-s --batch --alert-action=none {}', [0,4], qr/(?:ALERT|FUND):/m,
qr/(?:ALERT|FUND): (?:.* <<< )?(.+?)(?: ; |$)/m ],
### http://www.commandsoftware.com/
['Command AntiVirus for Linux', 'csav',
'-all -archive -packed {}', [50], [51,52,53],
qr/Infection: (.+)/m ],
### http://www.symantec.com/
['Symantec CarrierScan via Symantec CommandLineScanner',
'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}',
qr/^Files Infected:\s+0$/m, qr/^Infected\b/m,
qr/^(?:Info|Virus Name):\s+(.+)/m ],
### http://www.symantec.com/
['Symantec AntiVirus Scan Engine',
'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}',
[0], qr/^Infected\b/m,
qr/^(?:Info|Virus Name):\s+(.+)/m ],
# NOTE: check options and patterns to see which entry better applies
# ### http://www.f-secure.com/products/anti-virus/ version 5.52
# ['F-Secure Antivirus for Linux servers',
# ['/opt/f-secure/fsav/bin/fsav', 'fsav'],
# '--virus-action1=report --archive=yes --auto=yes '.
# '--dumb=yes --list=no --mime=yes {}', [0], [3,4,6,8],
# qr/(?:infection|Infected|Suspected|Riskware): (.+)/m ],
# # NOTE: internal archive handling may be switched off by '--archive=no'
# # to prevent fsav from exiting with status 9 on broken archives
### http://www.f-secure.com/ version 9.14
['F-Secure Linux Security',
['/opt/f-secure/fsav/bin/fsav', 'fsav'],
'--virus-action1=report --archive=yes --auto=yes '.
'--list=no --nomimeerr {}', [0], [3,4,6,8],
qr/(?:infection|Infected|Suspected|Riskware): (.+)/m ],
# NOTE: internal archive handling may be switched off by '--archive=no'
# to prevent fsav from exiting with status 9 on broken archives
# ### http://www.avast.com/
# ['avast! Antivirus daemon',
# \&ask_daemon, # greets with 220, terminate with QUIT
# ["SCAN {}\015\012QUIT\015\012", '/run/avast4/mailscanner.sock'],
# qr/\t\[\+\]/m, qr/\t\[L\]\t/m, qr/\t\[L\]\t[0-9]+\s+([^[ \t\015\012]+)/m ],
# ### http://www.avast.com/
# ['avast! Antivirus - Client/Server Version', 'avastlite',
# '-a /run/avast4/mailscanner.sock -n {}', [0], [1],
# qr/\t\[L\]\t([^[ \t\015\012]+)/m ],
['CAI InoculateIT', 'inocucmd', # retired product
'-sec -nex {}', [0], [100],
qr/was infected by virus (.+)/m ],
# see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html
### http://www3.ca.com/Solutions/Product.asp?ID=156 (ex InoculateIT)
['CAI eTrust Antivirus', 'etrust-wrapper',
'-arc -nex -spm h {}', [0], [101],
qr/is infected by virus: (.+)/m ],
# NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer
# see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783
### http://mks.com.pl/english.html
['MkS_Vir for Linux (beta)', ['mks32','mks'],
'-s {}/*', [0], [1,2],
qr/--[ \t]*(.+)/m ],
### http://mks.com.pl/english.html
['MkS_Vir daemon', 'mksscan',
'-s -q {}', [0], [1..7],
qr/^... (\S+)/m ],
# ### http://www.nod32.com/, version v2.52 (old)
# ['ESET NOD32 for Linux Mail servers',
# ['/opt/eset/nod32/bin/nod32cli', 'nod32cli'],
# '--subdir --files -z --sfx --rtp --adware --unsafe --pattern --heur '.
# '-w -a --action-on-infected=accept --action-on-uncleanable=accept '.
# '--action-on-notscanned=accept {}',
# [0,3], [1,2], qr/virus="([^"]+)"/m ],
# ### http://www.eset.com/, version v2.7 (old)
# ['ESET NOD32 Linux Mail Server - command line interface',
# ['/usr/bin/nod32cli', '/opt/eset/nod32/bin/nod32cli', 'nod32cli'],
# '--subdir {}', [0,3], [1,2], qr/virus="([^"]+)"/m ],
# ### http://www.eset.com/, version 2.71.12
# ['ESET Software ESETS Command Line Interface',
# ['/usr/bin/esets_cli', 'esets_cli'],
# '--subdir {}', [0], [1,2,3], qr/virus="([^"]+)"/m ],
### http://www.eset.com/, version 3.0
['ESET Software ESETS Command Line Interface',
['/usr/bin/esets_cli', 'esets_cli'],
'--subdir {}', [0], [1,2,3],
qr/:\s*action="(?!accepted)[^"]*"\n.*:\s*virus="([^"]*)"/m ],
## http://www.nod32.com/, NOD32LFS version 2.5 and above
['ESET NOD32 for Linux File servers',
['/opt/eset/nod32/sbin/nod32','nod32'],
'--files -z --mail --sfx --rtp --adware --unsafe --pattern --heur '.
'-w -a --action=1 -b {}',
[0], [1,10], qr/^object=.*, virus="(.*?)",/m ],
# Experimental, based on posting from Rado Dibarbora (Dibo) on 2002-05-31
# ['ESET Software NOD32 Client/Server (NOD32SS)',
# \&ask_daemon2, # greets with 200, persistent, terminate with QUIT
# ["SCAN {}/*\r\n", '127.0.0.1:8448' ],
# qr/^200 File OK/m, qr/^201 /m, qr/^201 (.+)/m ],
### http://www.norman.com/products_nvc.shtml
['Norman Virus Control v5 / Linux', 'nvcc',
'-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14],
qr/(?i).* virus in .* -> \'(.+)\'/m ],
### http://www.pandasoftware.com/
['Panda CommandLineSecure 9 for Linux',
['/opt/pavcl/usr/bin/pavcl','pavcl'],
'-auto -aex -heu -cmp -nbr -nor -nos -eng -nob {}',
qr/Number of files infected[ .]*: 0+(?!\d)/m,
qr/Number of files infected[ .]*: 0*[1-9]/m,
qr/Found virus :\s*(\S+)/m ],
# NOTE: for efficiency, start the Panda in resident mode with 'pavcl -tsr'
# before starting amavisd - the bases are then loaded only once at startup.
# To reload bases in a signature update script:
# /opt/pavcl/usr/bin/pavcl -tsr -ulr; /opt/pavcl/usr/bin/pavcl -tsr
# Please review other options of pavcl, for example:
# -nomalw, -nojoke, -nodial, -nohackt, -nospyw, -nocookies
# ### http://www.pandasoftware.com/
# ['Panda Antivirus for Linux', ['pavcl'],
# '-TSR -aut -aex -heu -cmp -nbr -nor -nso -eng {}',
# [0], [0x10, 0x30, 0x50, 0x70, 0x90, 0xB0, 0xD0, 0xF0],
# qr/Found virus :\s*(\S+)/m ],
# GeCAD AV technology is acquired by Microsoft; RAV has been discontinued.
# Check your RAV license terms before fiddling with the following two lines!
# ['GeCAD RAV AntiVirus 8', 'ravav',
# '--all --archive --mail {}', [1], [2,3,4,5], qr/Infected: (.+)/m ],
# # NOTE: the command line switches changed with scan engine 8.5 !
# # (btw, assigning stdin to /dev/null causes RAV to fail)
### http://www.nai.com/
['NAI McAfee AntiVirus (uvscan)', 'uvscan',
'--secure -rv --mime --summary --noboot - {}', [0], [13],
qr/(?x) Found (?:
\ the\ (.+)\ (?:virus|trojan) |
\ (?:virus|trojan)\ or\ variant\ ([^ ]+) |
:\ (.+)\ NOT\ a\ virus)/m,
# sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'},
# sub {delete $ENV{LD_PRELOAD}},
],
# NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before
# anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6
# and then clear it when finished to avoid confusing anything else.
# NOTE2: to treat encrypted files as viruses replace the [13] with:
# qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/
### http://www.virusbuster.hu/en/
['VirusBuster', ['vbuster', 'vbengcl'],
"{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1],
qr/: '(.*)' - Virus/m ],
# VirusBuster Ltd. does not support the daemon version for the workstation
# engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of
# binaries, some parameters AND return codes have changed (from 3 to 1).
# See also the new Vexira entry 'vascan' which is possibly related.
# ### http://www.virusbuster.hu/en/
# ['VirusBuster (Client + Daemon)', 'vbengd',
# '-f -log scandir {}', [0], [3],
# qr/Virus found = (.*);/m ],
# # HINT: for an infected file it always returns 3,
# # although the man-page tells a different story
### http://www.cyber.com/
['CyberSoft VFind', 'vfind',
'--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/m,
# sub {$ENV{VSTK_HOME}='/usr/lib/vstk'},
],
# ### http://www.avast.com/ (old)
# ['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'],
# '-a -i -n -t=A {}', [0], [1], qr/\binfected by:\s+([^ \t\n\[\]]+)/m ],
# ### http://www.avast.com/
# ['avast! Antivirus', '/bin/scan', '{}', [0], [1], qr/\t(.+)/m ],
### http://www.ikarus-software.com/
['Ikarus AntiVirus for Linux', 'ikarus',
'{}', [0], [40], qr/Signature (.+) found/m ],
### http://www.bitdefender.com/
['BitDefender', 'bdscan', # new version
'--action=ignore --no-list {}', qr/^Infected files\s*:\s*0+(?!\d)/m,
qr/^(?:Infected files|Identified viruses|Suspect files)\s*:\s*0*[1-9]/m,
qr/(?:suspected|infected)\s*:\s*(.*)(?:\033|$)/m ],
### http://www.bitdefender.com/
['BitDefender', 'bdc', # old version
'--arc --mail {}', qr/^Infected files *:0+(?!\d)/m,
qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/m,
qr/(?:suspected|infected): (.*)(?:\033|$)/m ],
# consider also: --all --nowarn --alev=15 --flev=15. The --all argument may
# not apply to your version of bdc, check documentation and see 'bdc --help'
### ArcaVir for Linux and Unix http://www.arcabit.pl/
['ArcaVir for Linux', ['arcacmd','arcacmd.static'],
'-v 1 -summary 0 -s {}', [0], [1,2],
qr/(?:VIR|WIR):[ \t]*(.+)/m ],
# ### a generic SMTP-client interface to a SMTP-based virus scanner
# ['av_smtp', \&ask_av_smtp,
# ['{}', 'smtp:[127.0.0.1]:5525', 'dummy@localhost'],
# qr/^2/, qr/^5/, qr/^\s*(.*?)\s*$/m ],
# ['File::Scan', sub {Amavis::AV::ask_av(sub{
# use File::Scan; my($fn)=@_;
# my($f)=File::Scan->new(max_txt_size=>0, max_bin_size=>0);
# my($vname) = $f->scan($fn);
# $f->error ? (2,"Error: ".$f->error)
# : ($vname ne '') ? (1,"$vname FOUND") : (0,"Clean")}, @_) },
# ["{}/*"], [0], [1], qr/^(.*) FOUND$/m ],
# ### fully-fledged checker for JPEG marker segments of invalid length
# ['check-jpeg',
# sub { use JpegTester (); Amavis::AV::ask_av(\&JpegTester::test_jpeg, @_) },
# ["{}/*"], undef, [1], qr/^(bad jpeg: .*)$/m ],
# # NOTE: place file JpegTester.pm somewhere where Perl can find it,
# # for example in /usr/local/lib/perl5/site_perl
);
@av_scanners_backup = (
### http://www.clamav.net/ - backs up clamd or Mail::ClamAV
['ClamAV-clamscan', 'clamscan',
"--stdout --no-summary -r --tempdir=$TEMPBASE {}",
[0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
# ### http://www.clamav.net/ - using remote clamd scanner as a backup
# ['ClamAV-clamdscan', 'clamdscan',
# "--stdout --no-summary --config-file=/etc/clamd-client.conf {}",
# [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
# ['ClamAV-clamd-stream',
# \&ask_daemon, ["*", 'clamd:/run/clamav/clamd.sock'],
# qr/\bOK$/m, qr/\bFOUND$/m,
# qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
### http://www.f-prot.com/ - backs up F-Prot Daemon, V6
['F-PROT Antivirus for UNIX', ['fpscan'],
'--report --mount --adware {}', # consider: --applications -s 4 -u 3 -z 10
[0,8,64], [1,2,3, 4+1,4+2,4+3, 8+1,8+2,8+3, 12+1,12+2,12+3],
qr/^\[Found\s+[^\]]*\]\s+<([^ \t(>]*)/m ],
### http://www.f-prot.com/ - backs up F-Prot Daemon (old)
['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],
'-dumb -archive -packed {}', [0,8], [3,6], # or: [0], [3,6,8],
qr/(?:Infection:|security risk named) (.+)|\s+contains\s+(.+)$/m ],
### http://www.trendmicro.com/ - backs up Trophie
['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'],
'-za -a {}', [0], qr/Found virus/m, qr/Found virus (.+) in/m ],
### http://www.sald.com/, http://drweb.imshop.de/ - backs up DrWebD
['drweb - DrWeb Antivirus', # security LHA hole in Dr.Web 4.33 and earlier
['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'],
'-path={} -al -go -ot -cn -upn -ok-',
[0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'m ],
### http://www.kaspersky.com/
['Kaspersky Antivirus v5.5',
['/opt/kaspersky/kav4fs/bin/kav4fs-kavscanner',
'/opt/kav/5.5/kav4unix/bin/kavscanner',
'/opt/kav/5.5/kav4mailservers/bin/kavscanner', 'kavscanner'],
'-i0 -xn -xp -mn -R -ePASBME {}/*', [0,10,15], [5,20,21,25],
qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.*)/m,
# sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"},
# sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
],
### http://www.sophos.com/
['Sophos Anti Virus (savscan)', # formerly known as 'sweep'
['/opt/sophos-av/bin/savscan', 'savscan'], # 'sweep'
'-nb -f -all -rec -ss -sc -archive -cab -mime -oe -tnef '.
'--no-reset-atime {}',
[0,2], qr/Virus .*? found/m,
qr/^>>> Virus(?: fragment)? '?(.*?)'? found/m,
],
# other options to consider: -idedir=/usr/local/sav
# A name 'sweep' clashes with a name of an audio editor (Debian and FreeBSD).
# Make sure the correct 'sweep' is found in the path if using the old name.
# Always succeeds and considers mail clean.
# Potentially useful when all other scanners fail and it is desirable
# to let mail continue to flow with no virus checking (when uncommented).
# ['always-clean', sub {0}],
);
1; # insure a defined return value

96
bashrc.rpmnew
View File

@@ -1,96 +0,0 @@
# /etc/bashrc
# System wide functions and aliases
# Environment stuff goes in /etc/profile
# It's NOT a good idea to change this file unless you know what you
# are doing. It's much better to create a custom.sh shell script in
# /etc/profile.d/ to make custom changes to your environment, as this
# will prevent the need for merging in future updates.
# Prevent doublesourcing
if [ -z "$BASHRCSOURCED" ]; then
BASHRCSOURCED="Y"
# are we an interactive shell?
if [ "$PS1" ]; then
if [ -z "$PROMPT_COMMAND" ]; then
case $TERM in
xterm*|vte*)
if [ -e /etc/sysconfig/bash-prompt-xterm ]; then
PROMPT_COMMAND=/etc/sysconfig/bash-prompt-xterm
else
PROMPT_COMMAND='printf "\033]0;%s@%s:%s\007" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/\~}"'
fi
;;
screen*)
if [ -e /etc/sysconfig/bash-prompt-screen ]; then
PROMPT_COMMAND=/etc/sysconfig/bash-prompt-screen
else
PROMPT_COMMAND='printf "\033k%s@%s:%s\033\\" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/\~}"'
fi
;;
*)
[ -e /etc/sysconfig/bash-prompt-default ] && PROMPT_COMMAND=/etc/sysconfig/bash-prompt-default
;;
esac
fi
# Turn on parallel history
shopt -s histappend
history -a
# Turn on checkwinsize
shopt -s checkwinsize
[ "$PS1" = "\\s-\\v\\\$ " ] && PS1="[\u@\h \W]\\$ "
# You might want to have e.g. tty in prompt (e.g. more virtual machines)
# and console windows
# If you want to do so, just add e.g.
# if [ "$PS1" ]; then
# PS1="[\u@\h:\l \W]\\$ "
# fi
# to your custom modification shell script in /etc/profile.d/ directory
fi
if ! shopt -q login_shell ; then # We're not a login shell
# Need to redefine pathmunge, it gets undefined at the end of /etc/profile
pathmunge () {
case ":${PATH}:" in
*:"$1":*)
;;
*)
if [ "$2" = "after" ] ; then
PATH=$PATH:$1
else
PATH=$1:$PATH
fi
esac
}
# By default, we want umask to get set. This sets it for non-login shell.
# Current threshold for system reserved uid/gids is 200
# You could check uidgid reservation validity in
# /usr/share/doc/setup-*/uidgid file
if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then
umask 002
else
umask 022
fi
SHELL=/bin/bash
# Only display echos from profile.d scripts if we are no login shell
# and interactive - otherwise just process them to set envvars
for i in /etc/profile.d/*.sh; do
if [ -r "$i" ]; then
if [ "$PS1" ]; then
. "$i"
else
. "$i" >/dev/null
fi
fi
done
unset i
unset -f pathmunge
fi
fi
# vim:ts=4:sw=4

38
chrony.conf.rpmnew
View File

@@ -1,38 +0,0 @@
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
pool 2.almalinux.pool.ntp.org iburst
# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift
# Allow the system clock to be stepped in the first three updates
# if its offset is larger than 1 second.
makestep 1.0 3
# Enable kernel synchronization of the real-time clock (RTC).
rtcsync
# Enable hardware timestamping on all interfaces that support it.
#hwtimestamp *
# Increase the minimum number of selectable sources required to adjust
# the system clock.
#minsources 2
# Allow NTP client access from local network.
#allow 192.168.0.0/16
# Serve time even if not synchronized to a time source.
#local stratum 10
# Specify file containing keys for NTP authentication.
keyfile /etc/chrony.keys
# Get TAI-UTC offset and leap seconds from the system tz database.
leapsectz right/UTC
# Specify directory for log files.
logdir /var/log/chrony
# Select which information is logged.
#log measurements statistics tracking

791
clamd.conf.rpmnew
View File

@@ -1,791 +0,0 @@
##
## Example config file for the Clam AV daemon
## Please read the clamd.conf(5) manual before editing this file.
##
# Comment or remove the line below.
Example
# Uncomment this option to enable logging.
# LogFile must be writable for the user running daemon.
# A full path is required.
# Default: disabled
#LogFile /tmp/clamd.log
# By default the log file is locked for writing - the lock protects against
# running clamd multiple times (if want to run another clamd, please
# copy the configuration file, change the LogFile variable, and run
# the daemon with --config-file option).
# This option disables log file locking.
# Default: no
#LogFileUnlock yes
# Maximum size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log
# rotation (the LogRotate option) will always be enabled.
# Default: 1M
#LogFileMaxSize 2M
# Log time with each message.
# Default: no
#LogTime yes
# Also log clean files. Useful in debugging but drastically increases the
# log size.
# Default: no
#LogClean yes
# Use system logger (can work together with LogFile).
# Default: no
#LogSyslog yes
# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL
# Enable verbose logging.
# Default: no
#LogVerbose yes
# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
# Default: no
#LogRotate yes
# Enable Prelude output.
# Default: no
#PreludeEnable yes
#
# Set the name of the analyzer used by prelude-admin.
# Default: ClamAV
#PreludeAnalyzerName ClamAV
# Log additional information about the infected file, such as its
# size and hash, together with the virus name.
#ExtendedDetectionInfo yes
# This option allows you to save a process identifier of the listening
# daemon (main thread).
# This file will be owned by root, as long as clamd was started by root.
# It is recommended that the directory where this file is stored is
# also owned by root to keep other users from tampering with it.
# Default: disabled
#PidFile /var/run/clamd.pid
# Optional path to the global temporary directory.
# Default: system specific (usually /tmp or /var/tmp).
#TemporaryDirectory /var/tmp
# Path to the database directory.
# Default: hardcoded (depends on installation options)
#DatabaseDirectory /var/lib/clamav
# Only load the official signatures published by the ClamAV project.
# Default: no
#OfficialDatabaseOnly no
# The daemon can work in local mode, network mode or both.
# Due to security reasons we recommend the local mode.
# Path to a local socket file the daemon will listen on.
# Default: disabled (must be specified by a user)
#LocalSocket /tmp/clamd.socket
# Sets the group ownership on the unix socket.
# Default: disabled (the primary group of the user running clamd)
#LocalSocketGroup virusgroup
# Sets the permissions on the unix socket to the specified mode.
# Default: disabled (socket is world accessible)
#LocalSocketMode 660
# Remove stale socket after unclean shutdown.
# Default: yes
#FixStaleSocket yes
# TCP port address.
# Default: no
#TCPSocket 3310
# TCP address.
# By default we bind to INADDR_ANY, probably not wise.
# Enable the following to provide some degree of protection
# from the outside world. This option can be specified multiple
# times if you want to listen on multiple IPs. IPv6 is now supported.
# Default: no
#TCPAddr 127.0.0.1
# Maximum length the queue of pending connections may grow to.
# Default: 200
#MaxConnectionQueueLength 30
# Clamd uses FTP-like protocol to receive data from remote clients.
# If you are using clamav-milter to balance load between remote clamd daemons
# on firewall servers you may need to tune the options below.
# Close the connection when the data size limit is exceeded.
# The value should match your MTA's limit for a maximum attachment size.
# Default: 25M
#StreamMaxLength 10M
# Limit port range.
# Default: 1024
#StreamMinPort 30000
# Default: 2048
#StreamMaxPort 32000
# Maximum number of threads running at the same time.
# Default: 10
#MaxThreads 20
# Waiting for data from a client socket will timeout after this time (seconds).
# Default: 120
#ReadTimeout 300
# This option specifies the time (in seconds) after which clamd should
# timeout if a client doesn't provide any initial command after connecting.
# Default: 30
#CommandReadTimeout 30
# This option specifies how long to wait (in milliseconds) if the send buffer
# is full.
# Keep this value low to prevent clamd hanging.
#
# Default: 500
#SendBufTimeout 200
# Maximum number of queued items (including those being processed by
# MaxThreads threads).
# It is recommended to have this value at least twice MaxThreads if possible.
# WARNING: you shouldn't increase this too much to avoid running out of file
# descriptors, the following condition should hold:
# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual
# max is 1024).
#
# Default: 100
#MaxQueue 200
# Waiting for a new job will timeout after this time (seconds).
# Default: 30
#IdleTimeout 60
# Don't scan files and directories matching regex
# This directive can be used multiple times
# Default: scan all
#ExcludePath ^/proc/
#ExcludePath ^/sys/
# Maximum depth directories are scanned at.
# Default: 15
#MaxDirectoryRecursion 20
# Follow directory symlinks.
# Default: no
#FollowDirectorySymlinks yes
# Follow regular file symlinks.
# Default: no
#FollowFileSymlinks yes
# Scan files and directories on other filesystems.
# Default: yes
#CrossFilesystems yes
# Perform a database check.
# Default: 600 (10 min)
#SelfCheck 600
# Enable non-blocking (multi-threaded/concurrent) database reloads.
# This feature will temporarily load a second scanning engine while scanning
# continues using the first engine. Once loaded, the new engine takes over.
# The old engine is removed as soon as all scans using the old engine have
# completed.
# This feature requires more RAM, so this option is provided in case users are
# willing to block scans during reload in exchange for lower RAM requirements.
# Default: yes
#ConcurrentDatabaseReload no
# Execute a command when virus is found. In the command string %v will
# be replaced with the virus name.
# Default: no
#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"
# Run as another user (clamd must be started by root for this option to work)
# Default: don't drop privileges
#User clamav
# Stop daemon when libclamav reports out of memory condition.
#ExitOnOOM yes
# Don't fork into background.
# Default: no
#Foreground yes
# Enable debug messages in libclamav.
# Default: no
#Debug yes
# Do not remove temporary files (for debug purposes).
# Default: no
#LeaveTemporaryFiles yes
# Permit use of the ALLMATCHSCAN command. If set to no, clamd will reject
# any ALLMATCHSCAN command as invalid.
# Default: yes
#AllowAllMatchScan no
# Detect Possibly Unwanted Applications.
# Default: no
#DetectPUA yes
# Exclude a specific PUA category. This directive can be used multiple times.
# See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for
# the complete list of PUA categories.
# Default: Load all categories (if DetectPUA is activated)
#ExcludePUA NetTool
#ExcludePUA PWTool
# Only include a specific PUA category. This directive can be used multiple
# times.
# Default: Load all categories (if DetectPUA is activated)
#IncludePUA Spy
#IncludePUA Scanner
#IncludePUA RAT
# This option causes memory or nested map scans to dump the content to disk.
# If you turn on this option, more data is written to disk and is available
# when the LeaveTemporaryFiles option is enabled.
#ForceToDisk yes
# This option allows you to disable the caching feature of the engine. By
# default, the engine will store an MD5 in a cache of any files that are
# not flagged as virus or that hit limits checks. Disabling the cache will
# have a negative performance impact on large scans.
# Default: no
#DisableCache yes
# In some cases (eg. complex malware, exploits in graphic files, and others),
# ClamAV uses special algorithms to detect abnormal patterns and behaviors that
# may be malicious. This option enables alerting on such heuristically
# detected potential threats.
# Default: yes
#HeuristicAlerts yes
# Allow heuristic alerts to take precedence.
# When enabled, if a heuristic scan (such as phishingScan) detects
# a possible virus/phish it will stop scan immediately. Recommended, saves CPU
# scan-time.
# When disabled, virus/phish detected by heuristic scans will be reported only
# at the end of a scan. If an archive contains both a heuristically detected
# virus/phish, and a real malware, the real malware will be reported
#
# Keep this disabled if you intend to handle "*.Heuristics.*" viruses
# differently from "real" malware.
# If a non-heuristically-detected virus (signature-based) is found first,
# the scan is interrupted immediately, regardless of this config option.
#
# Default: no
#HeuristicScanPrecedence yes
##
## Heuristic Alerts
##
# With this option clamav will try to detect broken executables (both PE and
# ELF) and alert on them with the Broken.Executable heuristic signature.
# Default: no
#AlertBrokenExecutables yes
# With this option clamav will try to detect broken media file (JPEG,
# TIFF, PNG, GIF) and alert on them with a Broken.Media heuristic signature.
# Default: no
#AlertBrokenMedia yes
# Alert on encrypted archives _and_ documents with heuristic signature
# (encrypted .zip, .7zip, .rar, .pdf).
# Default: no
#AlertEncrypted yes
# Alert on encrypted archives with heuristic signature (encrypted .zip, .7zip,
# .rar).
# Default: no
#AlertEncryptedArchive yes
# Alert on encrypted archives with heuristic signature (encrypted .pdf).
# Default: no
#AlertEncryptedDoc yes
# With this option enabled OLE2 files containing VBA macros, which were not
# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".
# Default: no
#AlertOLE2Macros yes
# Alert on SSL mismatches in URLs, even if the URL isn't in the database.
# This can lead to false positives.
# Default: no
#AlertPhishingSSLMismatch yes
# Alert on cloaked URLs, even if URL isn't in database.
# This can lead to false positives.
# Default: no
#AlertPhishingCloak yes
# Alert on raw DMG image files containing partition intersections
# Default: no
#AlertPartitionIntersection yes
##
## Executable files
##
# PE stands for Portable Executable - it's an executable file format used
# in all 32 and 64-bit versions of Windows operating systems. This option
# allows ClamAV to perform a deeper analysis of executable files and it's also
# required for decompression of popular executable packers such as UPX, FSG,
# and Petite. If you turn off this option, the original files will still be
# scanned, but without additional processing.
# Default: yes
#ScanPE yes
# Certain PE files contain an authenticode signature. By default, we check
# the signature chain in the PE file against a database of trusted and
# revoked certificates if the file being scanned is marked as a virus.
# If any certificate in the chain validates against any trusted root, but
# does not match any revoked certificate, the file is marked as whitelisted.
# If the file does match a revoked certificate, the file is marked as virus.
# The following setting completely turns off authenticode verification.
# Default: no
#DisableCertCheck yes
# Executable and Linking Format is a standard format for UN*X executables.
# This option allows you to control the scanning of ELF files.
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
#ScanELF yes
##
## Documents
##
# This option enables scanning of OLE2 files, such as Microsoft Office
# documents and .msi files.
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
#ScanOLE2 yes
# This option enables scanning within PDF files.
# If you turn off this option, the original files will still be scanned, but
# without decoding and additional processing.
# Default: yes
#ScanPDF yes
# This option enables scanning within SWF files.
# If you turn off this option, the original files will still be scanned, but
# without decoding and additional processing.
# Default: yes
#ScanSWF yes
# This option enables scanning xml-based document files supported by libclamav.
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
#ScanXMLDOCS yes
# This option enables scanning of HWP3 files.
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
#ScanHWP3 yes
##
## Mail files
##
# Enable internal e-mail scanner.
# If you turn off this option, the original files will still be scanned, but
# without parsing individual messages/attachments.
# Default: yes
#ScanMail yes
# Scan RFC1341 messages split over many emails.
# You will need to periodically clean up $TemporaryDirectory/clamav-partial
# directory.
# WARNING: This option may open your system to a DoS attack.
# Never use it on loaded servers.
# Default: no
#ScanPartialMessages yes
# With this option enabled ClamAV will try to detect phishing attempts by using
# HTML.Phishing and Email.Phishing NDB signatures.
# Default: yes
#PhishingSignatures no
# With this option enabled ClamAV will try to detect phishing attempts by
# analyzing URLs found in emails using WDB and PDB signature databases.
# Default: yes
#PhishingScanURLs no
##
## Data Loss Prevention (DLP)
##
# Enable the DLP module
# Default: No
#StructuredDataDetection yes
# This option sets the lowest number of Credit Card numbers found in a file
# to generate a detect.
# Default: 3
#StructuredMinCreditCardCount 5
# With this option enabled the DLP module will search for valid Credit Card
# numbers only. Debit and Private Label cards will not be searched.
# Default: no
#StructuredCCOnly yes
# This option sets the lowest number of Social Security Numbers found
# in a file to generate a detect.
# Default: 3
#StructuredMinSSNCount 5
# With this option enabled the DLP module will search for valid
# SSNs formatted as xxx-yy-zzzz
# Default: yes
#StructuredSSNFormatNormal yes
# With this option enabled the DLP module will search for valid
# SSNs formatted as xxxyyzzzz
# Default: no
#StructuredSSNFormatStripped yes
##
## HTML
##
# Perform HTML normalisation and decryption of MS Script Encoder code.
# Default: yes
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
#ScanHTML yes
##
## Archives
##
# ClamAV can scan within archives and compressed files.
# If you turn off this option, the original files will still be scanned, but
# without unpacking and additional processing.
# Default: yes
#ScanArchive yes
##
## Limits
##
# The options below protect your system against Denial of Service attacks
# using archive bombs.
# This option sets the maximum amount of time to a scan may take.
# In this version, this field only affects the scan time of ZIP archives.
# Value of 0 disables the limit.
# Note: disabling this limit or setting it too high may result allow scanning
# of certain files to lock up the scanning process/threads resulting in a
# Denial of Service.
# Time is in milliseconds.
# Default: 120000
#MaxScanTime 300000
# This option sets the maximum amount of data to be scanned for each input
# file. Archives and other containers are recursively extracted and scanned
# up to this value.
# Value of 0 disables the limit
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 100M
#MaxScanSize 150M
# Files larger than this limit won't be scanned. Affects the input file itself
# as well as files contained inside it (when the input file is an archive, a
# document or some other kind of container).
# Value of 0 disables the limit.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 25M
#MaxFileSize 30M
# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR
# file, all files within it will also be scanned. This options specifies how
# deeply the process should be continued.
# Note: setting this limit too high may result in severe damage to the system.
# Default: 16
#MaxRecursion 10
# Number of files to be scanned within an archive, a document, or any other
# container file.
# Value of 0 disables the limit.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 10000
#MaxFiles 15000
# Maximum size of a file to check for embedded PE. Files larger than this value
# will skip the additional analysis step.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 10M
#MaxEmbeddedPE 10M
# Maximum size of a HTML file to normalize. HTML files larger than this value
# will not be normalized or scanned.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 10M
#MaxHTMLNormalize 10M
# Maximum size of a normalized HTML file to scan. HTML files larger than this
# value after normalization will not be scanned.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 2M
#MaxHTMLNoTags 2M
# Maximum size of a script file to normalize. Script content larger than this
# value will not be normalized or scanned.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 5M
#MaxScriptNormalize 5M
# Maximum size of a ZIP file to reanalyze type recognition. ZIP files larger
# than this value will skip the step to potentially reanalyze as PE.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 1M
#MaxZipTypeRcg 1M
# This option sets the maximum number of partitions of a raw disk image to be
# scanned.
# Raw disk images with more partitions than this value will have up to
# the value number partitions scanned. Negative values are not allowed.
# Note: setting this limit too high may result in severe damage or impact
# performance.
# Default: 50
#MaxPartitions 128
# This option sets the maximum number of icons within a PE to be scanned.
# PE files with more icons than this value will have up to the value number
# icons scanned.
# Negative values are not allowed.
# WARNING: setting this limit too high may result in severe damage or impact
# performance.
# Default: 100
#MaxIconsPE 200
# This option sets the maximum recursive calls for HWP3 parsing during
# scanning. HWP3 files using more than this limit will be terminated and
# alert the user.
# Scans will be unable to scan any HWP3 attachments if the recursive limit
# is reached.
# Negative values are not allowed.
# WARNING: setting this limit too high may result in severe damage or impact
# performance.
# Default: 16
#MaxRecHWP3 16
# This option sets the maximum calls to the PCRE match function during
# an instance of regex matching.
# Instances using more than this limit will be terminated and alert the user
# but the scan will continue.
# For more information on match_limit, see the PCRE documentation.
# Negative values are not allowed.
# WARNING: setting this limit too high may severely impact performance.
# Default: 100000
#PCREMatchLimit 20000
# This option sets the maximum recursive calls to the PCRE match function
# during an instance of regex matching.
# Instances using more than this limit will be terminated and alert the user
# but the scan will continue.
# For more information on match_limit_recursion, see the PCRE documentation.
# Negative values are not allowed and values > PCREMatchLimit are superfluous.
# WARNING: setting this limit too high may severely impact performance.
# Default: 2000
#PCRERecMatchLimit 10000
# This option sets the maximum filesize for which PCRE subsigs will be
# executed. Files exceeding this limit will not have PCRE subsigs executed
# unless a subsig is encompassed to a smaller buffer.
# Negative values are not allowed.
# Setting this value to zero disables the limit.
# WARNING: setting this limit too high or disabling it may severely impact
# performance.
# Default: 25M
#PCREMaxFileSize 100M
# When AlertExceedsMax is set, files exceeding the MaxFileSize, MaxScanSize, or
# MaxRecursion limit will be flagged with the virus
# "Heuristics.Limits.Exceeded".
# Default: no
#AlertExceedsMax yes
##
## On-access Scan Settings
##
# Don't scan files larger than OnAccessMaxFileSize
# Value of 0 disables the limit.
# Default: 5M
#OnAccessMaxFileSize 10M
# Max number of scanning threads to allocate to the OnAccess thread pool at
# startup. These threads are the ones responsible for creating a connection
# with the daemon and kicking off scanning after an event has been processed.
# To prevent clamonacc from consuming all clamd's resources keep this lower
# than clamd's max threads.
# Default: 5
#OnAccessMaxThreads 10
# Max amount of time (in milliseconds) that the OnAccess client should spend
# for every connect, send, and recieve attempt when communicating with clamd
# via curl.
# Default: 5000 (5 seconds)
# OnAccessCurlTimeout 10000
# Toggles dynamic directory determination. Allows for recursively watching
# include paths.
# Default: no
#OnAccessDisableDDD yes
# Set the include paths (all files inside them will be scanned). You can have
# multiple OnAccessIncludePath directives but each directory must be added
# in a separate line.
# Default: disabled
#OnAccessIncludePath /home
#OnAccessIncludePath /students
# Set the exclude paths. All subdirectories are also excluded.
# Default: disabled
#OnAccessExcludePath /home/user
# Modifies fanotify blocking behaviour when handling permission events.
# If off, fanotify will only notify if the file scanned is a virus,
# and not perform any blocking.
# Default: no
#OnAccessPrevention yes
# When using prevention, if this option is turned on, any errors that occur
# during scanning will result in the event attempt being denied. This could
# potentially lead to unwanted system behaviour with certain configurations,
# so the client defaults this to off and prefers allowing access events in
# case of scan or connection error.
# Default: no
#OnAccessDenyOnError yes
# Toggles extra scanning and notifications when a file or directory is
# created or moved.
# Requires the DDD system to kick-off extra scans.
# Default: no
#OnAccessExtraScanning yes
# Set the mount point to be scanned. The mount point specified, or the mount
# point containing the specified directory will be watched. If any directories
# are specified, this option will preempt (disable and ignore all options
# related to) the DDD system. This option will result in verdicts only.
# Note that prevention is explicitly disallowed to prevent common, fatal
# misconfigurations. (e.g. watching "/" with prevention on and no exclusions
# made on vital system directories)
# It can be used multiple times.
# Default: disabled
#OnAccessMountPath /
#OnAccessMountPath /home/user
# With this option you can whitelist the root UID (0). Processes run under
# root with be able to access all files without triggering scans or
# permission denied events.
# Note that if clamd cannot check the uid of the process that generated an
# on-access scan event (e.g., because OnAccessPrevention was not enabled, and
# the process already exited), clamd will perform a scan. Thus, setting
# OnAccessExcludeRootUID is not *guaranteed* to prevent every access by the
# root user from triggering a scan (unless OnAccessPrevention is enabled).
# Default: no
#OnAccessExcludeRootUID no
# With this option you can whitelist specific UIDs. Processes with these UIDs
# will be able to access all files without triggering scans or permission
# denied events.
# This option can be used multiple times (one per line).
# Using a value of 0 on any line will disable this option entirely.
# To whitelist the root UID (0) please enable the OnAccessExcludeRootUID
# option.
# Also note that if clamd cannot check the uid of the process that generated an
# on-access scan event (e.g., because OnAccessPrevention was not enabled, and
# the process already exited), clamd will perform a scan. Thus, setting
# OnAccessExcludeUID is not *guaranteed* to prevent every access by the
# specified uid from triggering a scan (unless OnAccessPrevention is enabled).
# Default: disabled
#OnAccessExcludeUID -1
# This option allows exclusions via user names when using the on-access
# scanning client. It can be used multiple times.
# It has the same potential race condition limitations of the
# OnAccessExcludeUID option.
# Default: disabled
#OnAccessExcludeUname clamav
# Number of times the OnAccess client will retry a failed scan due to
# connection problems (or other issues).
# Default: 0
#OnAccessRetryAttempts 3
##
## Bytecode
##
# With this option enabled ClamAV will load bytecode from the database.
# It is highly recommended you keep this option on, otherwise you'll miss
# detections for many new viruses.
# Default: yes
#Bytecode yes
# Set bytecode security level.
# Possible values:
# None - No security at all, meant for debugging.
# DO NOT USE THIS ON PRODUCTION SYSTEMS.
# This value is only available if clamav was built
# with --enable-debug!
# TrustSigned - Trust bytecode loaded from signed .c[lv]d files, insert
# runtime safety checks for bytecode loaded from other sources.
# Paranoid - Don't trust any bytecode, insert runtime checks for all.
# Recommended: TrustSigned, because bytecode in .cvd files already has these
# checks.
# Note that by default only signed bytecode is loaded, currently you can only
# load unsigned bytecode in --enable-debug mode.
#
# Default: TrustSigned
#BytecodeSecurity TrustSigned
# Allow loading bytecode from outside digitally signed .c[lv]d files.
# **Caution**: You should NEVER run bytecode signatures from untrusted sources.
# Doing so may result in arbitrary code execution.
# Default: no
#BytecodeUnsigned yes
# Set bytecode timeout in milliseconds.
#
# Default: 5000
# BytecodeTimeout 1000

452
clamd.conf.rpmsave
View File

@@ -1,452 +0,0 @@
##
## Example config file for the Clam AV daemon
## Please read the clamd.conf(5) manual before editing this file.
##
# Comment or remove the line below.
#Example
# Uncomment this option to enable logging.
# LogFile must be writable for the user running daemon.
# A full path is required.
# Default: disabled
LogFile /var/log/clamav/clamd.log
# By default the log file is locked for writing - the lock protects against
# running clamd multiple times (if want to run another clamd, please
# copy the configuration file, change the LogFile variable, and run
# the daemon with --config-file option).
# This option disables log file locking.
# Default: no
#LogFileUnlock yes
# Maximum size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
# in bytes just don't use modifiers.
# Default: 1M
LogFileMaxSize 0
# Log time with each message.
# Default: no
LogTime yes
# Also log clean files. Useful in debugging but drastically increases the
# log size.
# Default: no
LogClean no
# Use system logger (can work together with LogFile).
# Default: no
LogSyslog yes
# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
LogFacility LOG_MAIL
# Enable verbose logging.
# Default: no
LogVerbose yes
# Log additional information about the infected file, such as its
# size and hash, together with the virus name.
ExtendedDetectionInfo yes
# This option allows you to save a process identifier of the listening
# daemon (main thread).
# Default: disabled
PidFile /var/run/clamav/clamd.pid
# Optional path to the global temporary directory.
# Default: system specific (usually /tmp or /var/tmp).
TemporaryDirectory /var/tmp
# Path to the database directory.
# Default: hardcoded (depends on installation options)
DatabaseDirectory /var/lib/clamav
# Only load the official signatures published by the ClamAV project.
# Default: no
#OfficialDatabaseOnly no
# The daemon can work in local mode, network mode or both.
# Due to security reasons we recommend the local mode.
# Path to a local socket file the daemon will listen on.
# Default: disabled (must be specified by a user)
LocalSocket /var/run/clamav/clamd.sock
# Sets the group ownership on the unix socket.
# Default: disabled (the primary group of the user running clamd)
#LocalSocketGroup virusgroup
# Sets the permissions on the unix socket to the specified mode.
# Default: disabled (socket is world accessible)
#LocalSocketMode 660
# Remove stale socket after unclean shutdown.
# Default: yes
FixStaleSocket yes
# TCP port address.
# Default: no
TCPSocket 3310
# TCP address.
# By default we bind to INADDR_ANY, probably not wise.
# Enable the following to provide some degree of protection
# from the outside world.
# Default: no
TCPAddr 127.0.0.1
# Maximum length the queue of pending connections may grow to.
# Default: 200
MaxConnectionQueueLength 30
# Clamd uses FTP-like protocol to receive data from remote clients.
# If you are using clamav-milter to balance load between remote clamd daemons
# on firewall servers you may need to tune the options below.
# Close the connection when the data size limit is exceeded.
# The value should match your MTA's limit for a maximum attachment size.
# Default: 25M
StreamMaxLength 10M
# Limit port range.
# Default: 1024
#StreamMinPort 30000
# Default: 2048
#StreamMaxPort 32000
# Maximum number of threads running at the same time.
# Default: 10
MaxThreads 5
# Waiting for data from a client socket will timeout after this time (seconds).
# Default: 120
ReadTimeout 120
# This option specifies the time (in seconds) after which clamd should
# timeout if a client doesn't provide any initial command after connecting.
# Default: 5
CommandReadTimeout 5
# This option specifies how long to wait (in miliseconds) if the send buffer is full.
# Keep this value low to prevent clamd hanging
#
# Default: 500
SendBufTimeout 200
# Maximum number of queued items (including those being processed by MaxThreads threads)
# It is recommended to have this value at least twice MaxThreads if possible.
# WARNING: you shouldn't increase this too much to avoid running out of file descriptors,
# the following condition should hold:
# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual max is 1024)
#
# Default: 100
MaxQueue 50
# Waiting for a new job will timeout after this time (seconds).
# Default: 30
IdleTimeout 10
# Don't scan files and directories matching regex
# This directive can be used multiple times
# Default: scan all
#ExcludePath ^/proc/
#ExcludePath ^/sys/
# Maximum depth directories are scanned at.
# Default: 15
#MaxDirectoryRecursion 20
# Follow directory symlinks.
# Default: no
#FollowDirectorySymlinks yes
# Follow regular file symlinks.
# Default: no
#FollowFileSymlinks yes
# Scan files and directories on other filesystems.
# Default: yes
CrossFilesystems yes
# Perform a database check.
# Default: 600 (10 min)
SelfCheck 43200
# Execute a command when virus is found. In the command string %v will
# be replaced with the virus name.
# Default: no
#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"
# Run as another user (clamd must be started by root for this option to work)
# Default: don't drop privileges
User amavis
# Initialize supplementary group access (clamd must be started by root).
# Default: no
#AllowSupplementaryGroups yes
# Stop daemon when libclamav reports out of memory condition.
ExitOnOOM yes
# Don't fork into background.
# Default: no
#Foreground yes
# Enable debug messages in libclamav.
# Default: no
#Debug yes
# Do not remove temporary files (for debug purposes).
# Default: no
LeaveTemporaryFiles no
# Detect Possibly Unwanted Applications.
# Default: no
DetectPUA yes
# Exclude a specific PUA category. This directive can be used multiple times.
# See http://www.clamav.net/support/pua for the complete list of PUA
# categories.
# Default: Load all categories (if DetectPUA is activated)
#ExcludePUA NetTool
#ExcludePUA PWTool
# Only include a specific PUA category. This directive can be used multiple
# times.
# Default: Load all categories (if DetectPUA is activated)
IncludePUA Spy
IncludePUA Scanner
IncludePUA RAT
IncludePUA Packed
IncludePUA PwTool
IncludePUA NetTool
IncludePUA P2P
IncludePUA IRC
IncludePUA Tool
IncludePUA Server
IncludePUA Script
# In some cases (eg. complex malware, exploits in graphic files, and others),
# ClamAV uses special algorithms to provide accurate detection. This option
# controls the algorithmic detection.
# Default: yes
AlgorithmicDetection yes
##
## Executable files
##
# PE stands for Portable Executable - it's an executable file format used
# in all 32 and 64-bit versions of Windows operating systems. This option allows
# ClamAV to perform a deeper analysis of executable files and it's also
# required for decompression of popular executable packers such as UPX, FSG,
# and Petite.
# Default: yes
ScanPE yes
# Executable and Linking Format is a standard format for UN*X executables.
# This option allows you to control the scanning of ELF files.
# Default: yes
ScanELF yes
# With this option clamav will try to detect broken executables (both PE and
# ELF) and mark them as Broken.Executable.
# Default: no
#DetectBrokenExecutables yes
##
## Documents
##
# This option enables scanning of OLE2 files, such as Microsoft Office
# documents and .msi files.
# Default: yes
ScanOLE2 yes
# With this option enabled OLE2 files with VBA macros, which were not
# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".
# Default: no
OLE2BlockMacros yes
# This option enables scanning within PDF files.
# Default: yes
ScanPDF yes
##
## Mail files
##
# Enable internal e-mail scanner.
# Default: yes
ScanMail yes
# Scan RFC1341 messages split over many emails.
# You will need to periodically clean up $TemporaryDirectory/clamav-partial directory.
# WARNING: This option may open your system to a DoS attack.
# Never use it on loaded servers.
# Default: no
ScanPartialMessages no
# With this option enabled ClamAV will try to detect phishing attempts by using
# signatures.
# Default: yes
PhishingSignatures yes
# Scan URLs found in mails for phishing attempts using heuristics.
# Default: yes
PhishingScanURLs yes
# Always block SSL mismatches in URLs, even if the URL isn't in the database.
# This can lead to false positives.
#
# Default: no
PhishingAlwaysBlockSSLMismatch no
# Always block cloaked URLs, even if URL isn't in database.
# This can lead to false positives.
#
# Default: no
PhishingAlwaysBlockCloak no
# Allow heuristic match to take precedence.
# When enabled, if a heuristic scan (such as phishingScan) detects
# a possible virus/phish it will stop scan immediately. Recommended, saves CPU
# scan-time.
# When disabled, virus/phish detected by heuristic scans will be reported only at
# the end of a scan. If an archive contains both a heuristically detected
# virus/phish, and a real malware, the real malware will be reported
#
# Keep this disabled if you intend to handle "*.Heuristics.*" viruses
# differently from "real" malware.
# If a non-heuristically-detected virus (signature-based) is found first,
# the scan is interrupted immediately, regardless of this config option.
#
# Default: no
HeuristicScanPrecedence no
##
## Data Loss Prevention (DLP)
##
# Enable the DLP module
# Default: No
StructuredDataDetection no
# This option sets the lowest number of Credit Card numbers found in a file
# to generate a detect.
# Default: 3
#StructuredMinCreditCardCount 5
# This option sets the lowest number of Social Security Numbers found
# in a file to generate a detect.
# Default: 3
#StructuredMinSSNCount 5
# With this option enabled the DLP module will search for valid
# SSNs formatted as xxx-yy-zzzz
# Default: yes
StructuredSSNFormatNormal no
# With this option enabled the DLP module will search for valid
# SSNs formatted as xxxyyzzzz
# Default: no
StructuredSSNFormatStripped no
##
## HTML
##
# Perform HTML normalisation and decryption of MS Script Encoder code.
# Default: yes
ScanHTML yes
##
## Archives
##
# ClamAV can scan within archives and compressed files.
# Default: yes
ScanArchive yes
# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
# Default: no
ArchiveBlockEncrypted no
##
## Limits
##
# The options below protect your system against Denial of Service attacks
# using archive bombs.
# This option sets the maximum amount of data to be scanned for each input file.
# Archives and other containers are recursively extracted and scanned up to this
# value.
# Value of 0 disables the limit
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 100M
MaxScanSize 50M
# Files larger than this limit won't be scanned. Affects the input file itself
# as well as files contained inside it (when the input file is an archive, a
# document or some other kind of container).
# Value of 0 disables the limit.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 25M
MaxFileSize 30M
# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR
# file, all files within it will also be scanned. This options specifies how
# deeply the process should be continued.
# Note: setting this limit too high may result in severe damage to the system.
# Default: 16
MaxRecursion 10
# Number of files to be scanned within an archive, a document, or any other
# container file.
# Value of 0 disables the limit.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 10000
#MaxFiles 15000
# With this option enabled ClamAV will load bytecode from the database.
# It is highly recommended you keep this option on, otherwise you'll miss detections for many new viruses.
# Default: yes
Bytecode yes
# Set bytecode security level.
# Possible values:
# None - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS
# This value is only available if clamav was built with --enable-debug!
# TrustSigned - trust bytecode loaded from signed .c[lv]d files,
# insert runtime safety checks for bytecode loaded from other sources
# Paranoid - don't trust any bytecode, insert runtime checks for all
# Recommended: TrustSigned, because bytecode in .cvd files already has these checks
# Note that by default only signed bytecode is loaded, currently you can only
# load unsigned bytecode in --enable-debug mode.
#
# Default: TrustSigned
BytecodeSecurity TrustSigned
# Set bytecode timeout in miliseconds.
#
# Default: 5000
BytecodeTimeout 3000

762
clamd.d/scan.conf.rpmnew
View File

@@ -1,762 +0,0 @@
##
## Example config file for the Clam AV daemon
## Please read the clamd.conf(5) manual before editing this file.
##
# Comment or remove the line below.
#Example
# Uncomment this option to enable logging.
# LogFile must be writable for the user running daemon.
# A full path is required.
# Default: disabled
#LogFile /var/log/clamd.scan
# By default the log file is locked for writing - the lock protects against
# running clamd multiple times (if want to run another clamd, please
# copy the configuration file, change the LogFile variable, and run
# the daemon with --config-file option).
# This option disables log file locking.
# Default: no
#LogFileUnlock yes
# Maximum size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log
# rotation (the LogRotate option) will always be enabled.
# Default: 1M
#LogFileMaxSize 2M
# Log time with each message.
# Default: no
#LogTime yes
# Also log clean files. Useful in debugging but drastically increases the
# log size.
# Default: no
#LogClean yes
# Use system logger (can work together with LogFile).
# Default: no
LogSyslog yes
# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL
# Enable verbose logging.
# Default: no
#LogVerbose yes
# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
# Default: no
#LogRotate yes
# Enable Prelude output.
# Default: no
#PreludeEnable yes
#
# Set the name of the analyzer used by prelude-admin.
# Default: ClamAV
#PreludeAnalyzerName ClamAV
# Log additional information about the infected file, such as its
# size and hash, together with the virus name.
#ExtendedDetectionInfo yes
# This option allows you to save a process identifier of the listening
# daemon (main thread).
# Default: disabled
#PidFile /run/clamd.scan/clamd.pid
# Optional path to the global temporary directory.
# Default: system specific (usually /tmp or /var/tmp).
#TemporaryDirectory /var/tmp
# Path to the database directory.
# Default: hardcoded (depends on installation options)
#DatabaseDirectory /var/lib/clamav
# Only load the official signatures published by the ClamAV project.
# Default: no
#OfficialDatabaseOnly no
# The daemon can work in local mode, network mode or both.
# Due to security reasons we recommend the local mode.
# Path to a local socket file the daemon will listen on.
# Default: disabled (must be specified by a user)
#LocalSocket /run/clamd.scan/clamd.sock
# Sets the group ownership on the unix socket.
# Default: disabled (the primary group of the user running clamd)
#LocalSocketGroup virusgroup
# Sets the permissions on the unix socket to the specified mode.
# Default: disabled (socket is world accessible)
#LocalSocketMode 660
# Remove stale socket after unclean shutdown.
# Default: yes
#FixStaleSocket yes
# TCP port address.
# Default: no
#TCPSocket 3310
# TCP address.
# By default we bind to INADDR_ANY, probably not wise.
# Enable the following to provide some degree of protection
# from the outside world. This option can be specified multiple
# times if you want to listen on multiple IPs. IPv6 is now supported.
# Default: no
#TCPAddr 127.0.0.1
# Maximum length the queue of pending connections may grow to.
# Default: 200
#MaxConnectionQueueLength 30
# Clamd uses FTP-like protocol to receive data from remote clients.
# If you are using clamav-milter to balance load between remote clamd daemons
# on firewall servers you may need to tune the options below.
# Close the connection when the data size limit is exceeded.
# The value should match your MTA's limit for a maximum attachment size.
# Default: 25M
#StreamMaxLength 10M
# Limit port range.
# Default: 1024
#StreamMinPort 30000
# Default: 2048
#StreamMaxPort 32000
# Maximum number of threads running at the same time.
# Default: 10
#MaxThreads 20
# Waiting for data from a client socket will timeout after this time (seconds).
# Default: 120
#ReadTimeout 300
# This option specifies the time (in seconds) after which clamd should
# timeout if a client doesn't provide any initial command after connecting.
# Default: 30
#CommandReadTimeout 30
# This option specifies how long to wait (in milliseconds) if the send buffer
# is full.
# Keep this value low to prevent clamd hanging.
#
# Default: 500
#SendBufTimeout 200
# Maximum number of queued items (including those being processed by
# MaxThreads threads).
# It is recommended to have this value at least twice MaxThreads if possible.
# WARNING: you shouldn't increase this too much to avoid running out of file
# descriptors, the following condition should hold:
# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual
# max is 1024).
#
# Default: 100
#MaxQueue 200
# Waiting for a new job will timeout after this time (seconds).
# Default: 30
#IdleTimeout 60
# Don't scan files and directories matching regex
# This directive can be used multiple times
# Default: scan all
#ExcludePath ^/proc/
#ExcludePath ^/sys/
# Maximum depth directories are scanned at.
# Default: 15
#MaxDirectoryRecursion 20
# Follow directory symlinks.
# Default: no
#FollowDirectorySymlinks yes
# Follow regular file symlinks.
# Default: no
#FollowFileSymlinks yes
# Scan files and directories on other filesystems.
# Default: yes
#CrossFilesystems yes
# Perform a database check.
# Default: 600 (10 min)
#SelfCheck 600
# Execute a command when virus is found. In the command string %v will
# be replaced with the virus name.
# Default: no
#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"
# Run as another user (clamd must be started by root for this option to work)
# Default: don't drop privileges
User clamscan
# Stop daemon when libclamav reports out of memory condition.
#ExitOnOOM yes
# Don't fork into background.
# Default: no
#Foreground yes
# Enable debug messages in libclamav.
# Default: no
#Debug yes
# Do not remove temporary files (for debug purposes).
# Default: no
#LeaveTemporaryFiles yes
# Permit use of the ALLMATCHSCAN command. If set to no, clamd will reject
# any ALLMATCHSCAN command as invalid.
# Default: yes
#AllowAllMatchScan no
# Detect Possibly Unwanted Applications.
# Default: no
#DetectPUA yes
# Exclude a specific PUA category. This directive can be used multiple times.
# See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for
# the complete list of PUA categories.
# Default: Load all categories (if DetectPUA is activated)
#ExcludePUA NetTool
#ExcludePUA PWTool
# Only include a specific PUA category. This directive can be used multiple
# times.
# Default: Load all categories (if DetectPUA is activated)
#IncludePUA Spy
#IncludePUA Scanner
#IncludePUA RAT
# This option causes memory or nested map scans to dump the content to disk.
# If you turn on this option, more data is written to disk and is available
# when the LeaveTemporaryFiles option is enabled.
#ForceToDisk yes
# This option allows you to disable the caching feature of the engine. By
# default, the engine will store an MD5 in a cache of any files that are
# not flagged as virus or that hit limits checks. Disabling the cache will
# have a negative performance impact on large scans.
# Default: no
#DisableCache yes
# In some cases (eg. complex malware, exploits in graphic files, and others),
# ClamAV uses special algorithms to detect abnormal patterns and behaviors that
# may be malicious. This option enables alerting on such heuristically
# detected potential threats.
# Default: yes
#HeuristicAlerts yes
# Allow heuristic alerts to take precedence.
# When enabled, if a heuristic scan (such as phishingScan) detects
# a possible virus/phish it will stop scan immediately. Recommended, saves CPU
# scan-time.
# When disabled, virus/phish detected by heuristic scans will be reported only
# at the end of a scan. If an archive contains both a heuristically detected
# virus/phish, and a real malware, the real malware will be reported
#
# Keep this disabled if you intend to handle "*.Heuristics.*" viruses
# differently from "real" malware.
# If a non-heuristically-detected virus (signature-based) is found first,
# the scan is interrupted immediately, regardless of this config option.
#
# Default: no
#HeuristicScanPrecedence yes
##
## Heuristic Alerts
##
# With this option clamav will try to detect broken executables (both PE and
# ELF) and alert on them with the Broken.Executable heuristic signature.
# Default: no
#AlertBrokenExecutables yes
# Alert on encrypted archives _and_ documents with heuristic signature
# (encrypted .zip, .7zip, .rar, .pdf).
# Default: no
#AlertEncrypted yes
# Alert on encrypted archives with heuristic signature (encrypted .zip, .7zip,
# .rar).
# Default: no
#AlertEncryptedArchive yes
# Alert on encrypted archives with heuristic signature (encrypted .pdf).
# Default: no
#AlertEncryptedDoc yes
# With this option enabled OLE2 files containing VBA macros, which were not
# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".
# Default: no
#AlertOLE2Macros yes
# Alert on SSL mismatches in URLs, even if the URL isn't in the database.
# This can lead to false positives.
# Default: no
#AlertPhishingSSLMismatch yes
# Alert on cloaked URLs, even if URL isn't in database.
# This can lead to false positives.
# Default: no
#AlertPhishingCloak yes
# Alert on raw DMG image files containing partition intersections
# Default: no
#AlertPartitionIntersection yes
##
## Executable files
##
# PE stands for Portable Executable - it's an executable file format used
# in all 32 and 64-bit versions of Windows operating systems. This option
# allows ClamAV to perform a deeper analysis of executable files and it's also
# required for decompression of popular executable packers such as UPX, FSG,
# and Petite. If you turn off this option, the original files will still be
# scanned, but without additional processing.
# Default: yes
#ScanPE yes
# Certain PE files contain an authenticode signature. By default, we check
# the signature chain in the PE file against a database of trusted and
# revoked certificates if the file being scanned is marked as a virus.
# If any certificate in the chain validates against any trusted root, but
# does not match any revoked certificate, the file is marked as whitelisted.
# If the file does match a revoked certificate, the file is marked as virus.
# The following setting completely turns off authenticode verification.
# Default: no
#DisableCertCheck yes
# Executable and Linking Format is a standard format for UN*X executables.
# This option allows you to control the scanning of ELF files.
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
#ScanELF yes
##
## Documents
##
# This option enables scanning of OLE2 files, such as Microsoft Office
# documents and .msi files.
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
#ScanOLE2 yes
# This option enables scanning within PDF files.
# If you turn off this option, the original files will still be scanned, but
# without decoding and additional processing.
# Default: yes
#ScanPDF yes
# This option enables scanning within SWF files.
# If you turn off this option, the original files will still be scanned, but
# without decoding and additional processing.
# Default: yes
#ScanSWF yes
# This option enables scanning xml-based document files supported by libclamav.
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
#ScanXMLDOCS yes
# This option enables scanning of HWP3 files.
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
#ScanHWP3 yes
##
## Mail files
##
# Enable internal e-mail scanner.
# If you turn off this option, the original files will still be scanned, but
# without parsing individual messages/attachments.
# Default: yes
#ScanMail yes
# Scan RFC1341 messages split over many emails.
# You will need to periodically clean up $TemporaryDirectory/clamav-partial
# directory.
# WARNING: This option may open your system to a DoS attack.
# Never use it on loaded servers.
# Default: no
#ScanPartialMessages yes
# With this option enabled ClamAV will try to detect phishing attempts by using
# HTML.Phishing and Email.Phishing NDB signatures.
# Default: yes
#PhishingSignatures no
# With this option enabled ClamAV will try to detect phishing attempts by
# analyzing URLs found in emails using WDB and PDB signature databases.
# Default: yes
#PhishingScanURLs no
##
## Data Loss Prevention (DLP)
##
# Enable the DLP module
# Default: No
#StructuredDataDetection yes
# This option sets the lowest number of Credit Card numbers found in a file
# to generate a detect.
# Default: 3
#StructuredMinCreditCardCount 5
# This option sets the lowest number of Social Security Numbers found
# in a file to generate a detect.
# Default: 3
#StructuredMinSSNCount 5
# With this option enabled the DLP module will search for valid
# SSNs formatted as xxx-yy-zzzz
# Default: yes
#StructuredSSNFormatNormal yes
# With this option enabled the DLP module will search for valid
# SSNs formatted as xxxyyzzzz
# Default: no
#StructuredSSNFormatStripped yes
##
## HTML
##
# Perform HTML normalisation and decryption of MS Script Encoder code.
# Default: yes
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
#ScanHTML yes
##
## Archives
##
# ClamAV can scan within archives and compressed files.
# If you turn off this option, the original files will still be scanned, but
# without unpacking and additional processing.
# Default: yes
#ScanArchive yes
##
## Limits
##
# The options below protect your system against Denial of Service attacks
# using archive bombs.
# This option sets the maximum amount of time to a scan may take.
# In this version, this field only affects the scan time of ZIP archives.
# Value of 0 disables the limit.
# Note: disabling this limit or setting it too high may result allow scanning
# of certain files to lock up the scanning process/threads resulting in a
# Denial of Service.
# Time is in milliseconds.
# Default: 120000
#MaxScanTime 300000
# This option sets the maximum amount of data to be scanned for each input
# file. Archives and other containers are recursively extracted and scanned
# up to this value.
# Value of 0 disables the limit
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 100M
#MaxScanSize 150M
# Files larger than this limit won't be scanned. Affects the input file itself
# as well as files contained inside it (when the input file is an archive, a
# document or some other kind of container).
# Value of 0 disables the limit.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 25M
#MaxFileSize 30M
# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR
# file, all files within it will also be scanned. This options specifies how
# deeply the process should be continued.
# Note: setting this limit too high may result in severe damage to the system.
# Default: 16
#MaxRecursion 10
# Number of files to be scanned within an archive, a document, or any other
# container file.
# Value of 0 disables the limit.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 10000
#MaxFiles 15000
# Maximum size of a file to check for embedded PE. Files larger than this value
# will skip the additional analysis step.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 10M
#MaxEmbeddedPE 10M
# Maximum size of a HTML file to normalize. HTML files larger than this value
# will not be normalized or scanned.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 10M
#MaxHTMLNormalize 10M
# Maximum size of a normalized HTML file to scan. HTML files larger than this
# value after normalization will not be scanned.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 2M
#MaxHTMLNoTags 2M
# Maximum size of a script file to normalize. Script content larger than this
# value will not be normalized or scanned.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 5M
#MaxScriptNormalize 5M
# Maximum size of a ZIP file to reanalyze type recognition. ZIP files larger
# than this value will skip the step to potentially reanalyze as PE.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 1M
#MaxZipTypeRcg 1M
# This option sets the maximum number of partitions of a raw disk image to be
# scanned.
# Raw disk images with more partitions than this value will have up to
# the value number partitions scanned. Negative values are not allowed.
# Note: setting this limit too high may result in severe damage or impact
# performance.
# Default: 50
#MaxPartitions 128
# This option sets the maximum number of icons within a PE to be scanned.
# PE files with more icons than this value will have up to the value number
# icons scanned.
# Negative values are not allowed.
# WARNING: setting this limit too high may result in severe damage or impact
# performance.
# Default: 100
#MaxIconsPE 200
# This option sets the maximum recursive calls for HWP3 parsing during
# scanning. HWP3 files using more than this limit will be terminated and
# alert the user.
# Scans will be unable to scan any HWP3 attachments if the recursive limit
# is reached.
# Negative values are not allowed.
# WARNING: setting this limit too high may result in severe damage or impact
# performance.
# Default: 16
#MaxRecHWP3 16
# This option sets the maximum calls to the PCRE match function during
# an instance of regex matching.
# Instances using more than this limit will be terminated and alert the user
# but the scan will continue.
# For more information on match_limit, see the PCRE documentation.
# Negative values are not allowed.
# WARNING: setting this limit too high may severely impact performance.
# Default: 100000
#PCREMatchLimit 20000
# This option sets the maximum recursive calls to the PCRE match function
# during an instance of regex matching.
# Instances using more than this limit will be terminated and alert the user
# but the scan will continue.
# For more information on match_limit_recursion, see the PCRE documentation.
# Negative values are not allowed and values > PCREMatchLimit are superfluous.
# WARNING: setting this limit too high may severely impact performance.
# Default: 2000
#PCRERecMatchLimit 10000
# This option sets the maximum filesize for which PCRE subsigs will be
# executed. Files exceeding this limit will not have PCRE subsigs executed
# unless a subsig is encompassed to a smaller buffer.
# Negative values are not allowed.
# Setting this value to zero disables the limit.
# WARNING: setting this limit too high or disabling it may severely impact
# performance.
# Default: 25M
#PCREMaxFileSize 100M
# When AlertExceedsMax is set, files exceeding the MaxFileSize, MaxScanSize, or
# MaxRecursion limit will be flagged with the virus
# "Heuristics.Limits.Exceeded".
# Default: no
#AlertExceedsMax yes
##
## On-access Scan Settings
##
# Don't scan files larger than OnAccessMaxFileSize
# Value of 0 disables the limit.
# Default: 5M
#OnAccessMaxFileSize 10M
# Max number of scanning threads to allocate to the OnAccess thread pool at
# startup. These threads are the ones responsible for creating a connection
# with the daemon and kicking off scanning after an event has been processed.
# To prevent clamonacc from consuming all clamd's resources keep this lower
# than clamd's max threads.
# Default: 5
#OnAccessMaxThreads 10
# Max amount of time (in milliseconds) that the OnAccess client should spend
# for every connect, send, and recieve attempt when communicating with clamd
# via curl.
# Default: 5000 (5 seconds)
# OnAccessCurlTimeout 10000
# Toggles dynamic directory determination. Allows for recursively watching
# include paths.
# Default: no
#OnAccessDisableDDD yes
# Set the include paths (all files inside them will be scanned). You can have
# multiple OnAccessIncludePath directives but each directory must be added
# in a separate line.
# Default: disabled
#OnAccessIncludePath /home
#OnAccessIncludePath /students
# Set the exclude paths. All subdirectories are also excluded.
# Default: disabled
#OnAccessExcludePath /home/user
# Modifies fanotify blocking behaviour when handling permission events.
# If off, fanotify will only notify if the file scanned is a virus,
# and not perform any blocking.
# Default: no
#OnAccessPrevention yes
# When using prevention, if this option is turned on, any errors that occur
# during scanning will result in the event attempt being denied. This could
# potentially lead to unwanted system behaviour with certain configurations,
# so the client defaults this to off and prefers allowing access events in
# case of scan or connection error.
# Default: no
#OnAccessDenyOnError yes
# Toggles extra scanning and notifications when a file or directory is
# created or moved.
# Requires the DDD system to kick-off extra scans.
# Default: no
#OnAccessExtraScanning yes
# Set the mount point to be scanned. The mount point specified, or the mount
# point containing the specified directory will be watched. If any directories
# are specified, this option will preempt (disable and ignore all options
# related to) the DDD system. This option will result in verdicts only.
# Note that prevention is explicitly disallowed to prevent common, fatal
# misconfigurations. (e.g. watching "/" with prevention on and no exclusions
# made on vital system directories)
# It can be used multiple times.
# Default: disabled
#OnAccessMountPath /
#OnAccessMountPath /home/user
# With this option you can whitelist the root UID (0). Processes run under
# root with be able to access all files without triggering scans or
# permission denied events.
# Note that if clamd cannot check the uid of the process that generated an
# on-access scan event (e.g., because OnAccessPrevention was not enabled, and
# the process already exited), clamd will perform a scan. Thus, setting
# OnAccessExcludeRootUID is not *guaranteed* to prevent every access by the
# root user from triggering a scan (unless OnAccessPrevention is enabled).
# Default: no
#OnAccessExcludeRootUID no
# With this option you can whitelist specific UIDs. Processes with these UIDs
# will be able to access all files without triggering scans or permission
# denied events.
# This option can be used multiple times (one per line).
# Using a value of 0 on any line will disable this option entirely.
# To whitelist the root UID (0) please enable the OnAccessExcludeRootUID
# option.
# Also note that if clamd cannot check the uid of the process that generated an
# on-access scan event (e.g., because OnAccessPrevention was not enabled, and
# the process already exited), clamd will perform a scan. Thus, setting
# OnAccessExcludeUID is not *guaranteed* to prevent every access by the
# specified uid from triggering a scan (unless OnAccessPrevention is enabled).
# Default: disabled
#OnAccessExcludeUID -1
# This option allows exclusions via user names when using the on-access
# scanning client. It can be used multiple times.
# It has the same potential race condition limitations of the
# OnAccessExcludeUID option.
# Default: disabled
#OnAccessExcludeUname clamav
# Number of times the OnAccess client will retry a failed scan due to
# connection problems (or other issues).
# Default: 0
#OnAccessRetryAttempts 3
##
## Bytecode
##
# With this option enabled ClamAV will load bytecode from the database.
# It is highly recommended you keep this option on, otherwise you'll miss
# detections for many new viruses.
# Default: yes
#Bytecode yes
# Set bytecode security level.
# Possible values:
# None - No security at all, meant for debugging.
# DO NOT USE THIS ON PRODUCTION SYSTEMS.
# This value is only available if clamav was built
# with --enable-debug!
# TrustSigned - Trust bytecode loaded from signed .c[lv]d files, insert
# runtime safety checks for bytecode loaded from other sources.
# Paranoid - Don't trust any bytecode, insert runtime checks for all.
# Recommended: TrustSigned, because bytecode in .cvd files already has these
# checks.
# Note that by default only signed bytecode is loaded, currently you can only
# load unsigned bytecode in --enable-debug mode.
#
# Default: TrustSigned
#BytecodeSecurity TrustSigned
# Set bytecode timeout in milliseconds.
#
# Default: 5000
# BytecodeTimeout 1000

674
clamd.d/scan.conf.rpmsave
View File

@@ -1,674 +0,0 @@
##
## Example config file for the Clam AV daemon
## Please read the clamd.conf(5) manual before editing this file.
##
# Comment or remove the line below.
#Example
# Uncomment this option to enable logging.
# LogFile must be writable for the user running daemon.
# A full path is required.
# Default: disabled
LogFile /var/log/clamd.scan
# By default the log file is locked for writing - the lock protects against
# running clamd multiple times (if want to run another clamd, please
# copy the configuration file, change the LogFile variable, and run
# the daemon with --config-file option).
# This option disables log file locking.
# Default: no
#LogFileUnlock yes
# Maximum size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log
# rotation (the LogRotate option) will always be enabled.
# Default: 1M
#LogFileMaxSize 2M
# Log time with each message.
# Default: no
LogTime yes
# Also log clean files. Useful in debugging but drastically increases the
# log size.
# Default: no
#LogClean yes
# Use system logger (can work together with LogFile).
# Default: no
LogSyslog yes
# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL
# Enable verbose logging.
# Default: no
#LogVerbose yes
# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
# Default: no
LogRotate yes
# Log additional information about the infected file, such as its
# size and hash, together with the virus name.
ExtendedDetectionInfo yes
# This option allows you to save a process identifier of the listening
# daemon (main thread).
# Default: disabled
PidFile /var/run/clamd.scan/clamd.pid
# Optional path to the global temporary directory.
# Default: system specific (usually /tmp or /var/tmp).
TemporaryDirectory /var/tmp
# Path to the database directory.
# Default: hardcoded (depends on installation options)
DatabaseDirectory /var/clamav
# Only load the official signatures published by the ClamAV project.
# Default: no
#OfficialDatabaseOnly no
# The daemon can work in local mode, network mode or both.
# Due to security reasons we recommend the local mode.
# Path to a local socket file the daemon will listen on.
# Default: disabled (must be specified by a user)
LocalSocket /var/run/clamav/clamd.sock
# Sets the group ownership on the unix socket.
# Default: disabled (the primary group of the user running clamd)
#LocalSocketGroup virusgroup
# Sets the permissions on the unix socket to the specified mode.
# Default: disabled (socket is world accessible)
#LocalSocketMode 660
# Remove stale socket after unclean shutdown.
# Default: yes
#FixStaleSocket yes
# TCP port address.
# Default: no
#TCPSocket 3310
# TCP address.
# By default we bind to INADDR_ANY, probably not wise.
# Enable the following to provide some degree of protection
# from the outside world. This option can be specified multiple
# times if you want to listen on multiple IPs. IPv6 is now supported.
# Default: no
#TCPAddr 127.0.0.1
# Maximum length the queue of pending connections may grow to.
# Default: 200
#MaxConnectionQueueLength 30
# Clamd uses FTP-like protocol to receive data from remote clients.
# If you are using clamav-milter to balance load between remote clamd daemons
# on firewall servers you may need to tune the options below.
# Close the connection when the data size limit is exceeded.
# The value should match your MTA's limit for a maximum attachment size.
# Default: 25M
#StreamMaxLength 10M
# Limit port range.
# Default: 1024
#StreamMinPort 30000
# Default: 2048
#StreamMaxPort 32000
# Maximum number of threads running at the same time.
# Default: 10
#MaxThreads 20
# Waiting for data from a client socket will timeout after this time (seconds).
# Default: 120
#ReadTimeout 300
# This option specifies the time (in seconds) after which clamd should
# timeout if a client doesn't provide any initial command after connecting.
# Default: 5
#CommandReadTimeout 5
# This option specifies how long to wait (in miliseconds) if the send buffer is full.
# Keep this value low to prevent clamd hanging
#
# Default: 500
#SendBufTimeout 200
# Maximum number of queued items (including those being processed by MaxThreads threads)
# It is recommended to have this value at least twice MaxThreads if possible.
# WARNING: you shouldn't increase this too much to avoid running out of file descriptors,
# the following condition should hold:
# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual max is 1024)
#
# Default: 100
#MaxQueue 200
# Waiting for a new job will timeout after this time (seconds).
# Default: 30
#IdleTimeout 60
# Don't scan files and directories matching regex
# This directive can be used multiple times
# Default: scan all
#ExcludePath ^/proc/
#ExcludePath ^/sys/
# Maximum depth directories are scanned at.
# Default: 15
#MaxDirectoryRecursion 20
# Follow directory symlinks.
# Default: no
#FollowDirectorySymlinks yes
# Follow regular file symlinks.
# Default: no
#FollowFileSymlinks yes
# Scan files and directories on other filesystems.
# Default: yes
#CrossFilesystems yes
# Perform a database check.
# Default: 600 (10 min)
#SelfCheck 600
# Execute a command when virus is found. In the command string %v will
# be replaced with the virus name.
# Default: no
#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"
# Run as another user (clamd must be started by root for this option to work)
# Default: don't drop privileges
User amavis
# Initialize supplementary group access (clamd must be started by root).
# Default: no
AllowSupplementaryGroups yes
# Stop daemon when libclamav reports out of memory condition.
#ExitOnOOM yes
# Don't fork into background.
# Default: no
#Foreground yes
# Enable debug messages in libclamav.
# Default: no
#Debug yes
# Do not remove temporary files (for debug purposes).
# Default: no
#LeaveTemporaryFiles yes
# Permit use of the ALLMATCHSCAN command. If set to no, clamd will reject
# any ALLMATCHSCAN command as invalid.
# Default: yes
#AllowAllMatchScan no
# Detect Possibly Unwanted Applications.
# Default: no
#DetectPUA yes
# Exclude a specific PUA category. This directive can be used multiple times.
# See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for
# the complete list of PUA categories.
# Default: Load all categories (if DetectPUA is activated)
#ExcludePUA NetTool
#ExcludePUA PWTool
# Only include a specific PUA category. This directive can be used multiple
# times.
# Default: Load all categories (if DetectPUA is activated)
#IncludePUA Spy
#IncludePUA Scanner
#IncludePUA RAT
# In some cases (eg. complex malware, exploits in graphic files, and others),
# ClamAV uses special algorithms to provide accurate detection. This option
# controls the algorithmic detection.
# Default: yes
#AlgorithmicDetection yes
# This option causes memory or nested map scans to dump the content to disk.
# If you turn on this option, more data is written to disk and is available
# when the LeaveTemporaryFiles option is enabled.
#ForceToDisk yes
# This option allows you to disable the caching feature of the engine. By
# default, the engine will store an MD5 in a cache of any files that are
# not flagged as virus or that hit limits checks. Disabling the cache will
# have a negative performance impact on large scans.
# Default: no
#DisableCache yes
##
## Executable files
##
# PE stands for Portable Executable - it's an executable file format used
# in all 32 and 64-bit versions of Windows operating systems. This option allows
# ClamAV to perform a deeper analysis of executable files and it's also
# required for decompression of popular executable packers such as UPX, FSG,
# and Petite. If you turn off this option, the original files will still be
# scanned, but without additional processing.
# Default: yes
#ScanPE yes
# Certain PE files contain an authenticode signature. By default, we check
# the signature chain in the PE file against a database of trusted and
# revoked certificates if the file being scanned is marked as a virus.
# If any certificate in the chain validates against any trusted root, but
# does not match any revoked certificate, the file is marked as whitelisted.
# If the file does match a revoked certificate, the file is marked as virus.
# The following setting completely turns off authenticode verification.
# Default: no
#DisableCertCheck yes
# Executable and Linking Format is a standard format for UN*X executables.
# This option allows you to control the scanning of ELF files.
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
#ScanELF yes
# With this option clamav will try to detect broken executables (both PE and
# ELF) and mark them as Broken.Executable.
# Default: no
#DetectBrokenExecutables yes
##
## Documents
##
# This option enables scanning of OLE2 files, such as Microsoft Office
# documents and .msi files.
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
#ScanOLE2 yes
# With this option enabled OLE2 files with VBA macros, which were not
# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".
# Default: no
#OLE2BlockMacros no
# This option enables scanning within PDF files.
# If you turn off this option, the original files will still be scanned, but
# without decoding and additional processing.
# Default: yes
#ScanPDF yes
# This option enables scanning within SWF files.
# If you turn off this option, the original files will still be scanned, but
# without decoding and additional processing.
# Default: yes
#ScanSWF yes
# This option enables scanning xml-based document files supported by libclamav.
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
#ScanXMLDOCS yes
# This option enables scanning of HWP3 files.
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
#ScanHWP3 yes
##
## Mail files
##
# Enable internal e-mail scanner.
# If you turn off this option, the original files will still be scanned, but
# without parsing individual messages/attachments.
# Default: yes
#ScanMail yes
# Scan RFC1341 messages split over many emails.
# You will need to periodically clean up $TemporaryDirectory/clamav-partial directory.
# WARNING: This option may open your system to a DoS attack.
# Never use it on loaded servers.
# Default: no
#ScanPartialMessages yes
# With this option enabled ClamAV will try to detect phishing attempts by using
# signatures.
# Default: yes
#PhishingSignatures yes
# Scan URLs found in mails for phishing attempts using heuristics.
# Default: yes
#PhishingScanURLs yes
# Always block SSL mismatches in URLs, even if the URL isn't in the database.
# This can lead to false positives.
#
# Default: no
#PhishingAlwaysBlockSSLMismatch no
# Always block cloaked URLs, even if URL isn't in database.
# This can lead to false positives.
#
# Default: no
#PhishingAlwaysBlockCloak no
# Detect partition intersections in raw disk images using heuristics.
# Default: no
#PartitionIntersection no
# Allow heuristic match to take precedence.
# When enabled, if a heuristic scan (such as phishingScan) detects
# a possible virus/phish it will stop scan immediately. Recommended, saves CPU
# scan-time.
# When disabled, virus/phish detected by heuristic scans will be reported only at
# the end of a scan. If an archive contains both a heuristically detected
# virus/phish, and a real malware, the real malware will be reported
#
# Keep this disabled if you intend to handle "*.Heuristics.*" viruses
# differently from "real" malware.
# If a non-heuristically-detected virus (signature-based) is found first,
# the scan is interrupted immediately, regardless of this config option.
#
# Default: no
#HeuristicScanPrecedence yes
##
## Data Loss Prevention (DLP)
##
# Enable the DLP module
# Default: No
#StructuredDataDetection yes
# This option sets the lowest number of Credit Card numbers found in a file
# to generate a detect.
# Default: 3
#StructuredMinCreditCardCount 5
# This option sets the lowest number of Social Security Numbers found
# in a file to generate a detect.
# Default: 3
#StructuredMinSSNCount 5
# With this option enabled the DLP module will search for valid
# SSNs formatted as xxx-yy-zzzz
# Default: yes
#StructuredSSNFormatNormal yes
# With this option enabled the DLP module will search for valid
# SSNs formatted as xxxyyzzzz
# Default: no
#StructuredSSNFormatStripped yes
##
## HTML
##
# Perform HTML normalisation and decryption of MS Script Encoder code.
# Default: yes
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
#ScanHTML yes
##
## Archives
##
# ClamAV can scan within archives and compressed files.
# If you turn off this option, the original files will still be scanned, but
# without unpacking and additional processing.
# Default: yes
#ScanArchive yes
# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
# Default: no
#ArchiveBlockEncrypted no
##
## Limits
##
# The options below protect your system against Denial of Service attacks
# using archive bombs.
# This option sets the maximum amount of data to be scanned for each input file.
# Archives and other containers are recursively extracted and scanned up to this
# value.
# Value of 0 disables the limit
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 100M
#MaxScanSize 150M
# Files larger than this limit won't be scanned. Affects the input file itself
# as well as files contained inside it (when the input file is an archive, a
# document or some other kind of container).
# Value of 0 disables the limit.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 25M
#MaxFileSize 30M
# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR
# file, all files within it will also be scanned. This options specifies how
# deeply the process should be continued.
# Note: setting this limit too high may result in severe damage to the system.
# Default: 16
#MaxRecursion 10
# Number of files to be scanned within an archive, a document, or any other
# container file.
# Value of 0 disables the limit.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 10000
#MaxFiles 15000
# Maximum size of a file to check for embedded PE. Files larger than this value
# will skip the additional analysis step.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 10M
#MaxEmbeddedPE 10M
# Maximum size of a HTML file to normalize. HTML files larger than this value
# will not be normalized or scanned.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 10M
#MaxHTMLNormalize 10M
# Maximum size of a normalized HTML file to scan. HTML files larger than this
# value after normalization will not be scanned.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 2M
#MaxHTMLNoTags 2M
# Maximum size of a script file to normalize. Script content larger than this
# value will not be normalized or scanned.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 5M
#MaxScriptNormalize 5M
# Maximum size of a ZIP file to reanalyze type recognition. ZIP files larger
# than this value will skip the step to potentially reanalyze as PE.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 1M
#MaxZipTypeRcg 1M
# This option sets the maximum number of partitions of a raw disk image to be scanned.
# Raw disk images with more partitions than this value will have up to the value number
# partitions scanned. Negative values are not allowed.
# Note: setting this limit too high may result in severe damage or impact performance.
# Default: 50
#MaxPartitions 128
# This option sets the maximum number of icons within a PE to be scanned.
# PE files with more icons than this value will have up to the value number icons scanned.
# Negative values are not allowed.
# WARNING: setting this limit too high may result in severe damage or impact performance.
# Default: 100
#MaxIconsPE 200
# This option sets the maximum recursive calls for HWP3 parsing during scanning.
# HWP3 files using more than this limit will be terminated and alert the user.
# Scans will be unable to scan any HWP3 attachments if the recursive limit is reached.
# Negative values are not allowed.
# WARNING: setting this limit too high may result in severe damage or impact performance.
# Default: 16
#MaxRecHWP3 16
# This option sets the maximum calls to the PCRE match function during an instance of regex matching.
# Instances using more than this limit will be terminated and alert the user but the scan will continue.
# For more information on match_limit, see the PCRE documentation.
# Negative values are not allowed.
# WARNING: setting this limit too high may severely impact performance.
# Default: 10000
#PCREMatchLimit 20000
# This option sets the maximum recursive calls to the PCRE match function during an instance of regex matching.
# Instances using more than this limit will be terminated and alert the user but the scan will continue.
# For more information on match_limit_recursion, see the PCRE documentation.
# Negative values are not allowed and values > PCREMatchLimit are superfluous.
# WARNING: setting this limit too high may severely impact performance.
# Default: 5000
#PCRERecMatchLimit 10000
# This option sets the maximum filesize for which PCRE subsigs will be executed.
# Files exceeding this limit will not have PCRE subsigs executed unless a subsig is encompassed to a smaller buffer.
# Negative values are not allowed.
# Setting this value to zero disables the limit.
# WARNING: setting this limit too high or disabling it may severely impact performance.
# Default: 25M
#PCREMaxFileSize 100M
##
## On-access Scan Settings
##
# Enable on-access scanning. Currently, this is supported via fanotify.
# Clamuko/Dazuko support has been deprecated.
# Default: no
#ScanOnAccess yes
# Set the mount point to be scanned. The mount point specified, or the mount point
# containing the specified directory will be watched. If any directories are specified,
# this option will preempt the DDD system. This will notify only. It can be used multiple times.
# (On-access scan only)
# Default: disabled
#OnAccessMountPath /
#OnAccessMountPath /home/user
# Don't scan files larger than OnAccessMaxFileSize
# Value of 0 disables the limit.
# Default: 5M
#OnAccessMaxFileSize 10M
# Set the include paths (all files inside them will be scanned). You can have
# multiple OnAccessIncludePath directives but each directory must be added
# in a separate line. (On-access scan only)
# Default: disabled
#OnAccessIncludePath /home
#OnAccessIncludePath /students
# Set the exclude paths. All subdirectories are also excluded.
# (On-access scan only)
# Default: disabled
#OnAccessExcludePath /home/bofh
# With this option you can whitelist specific UIDs. Processes with these UIDs
# will be able to access all files.
# This option can be used multiple times (one per line).
# Default: disabled
#OnAccessExcludeUID 0
# Toggles dynamic directory determination. Allows for recursively watching include paths.
# (On-access scan only)
# Default: no
#OnAccessDisableDDD yes
# Modifies fanotify blocking behaviour when handling permission events.
# If off, fanotify will only notify if the file scanned is a virus,
# and not perform any blocking.
# (On-access scan only)
# Default: no
#OnAccessPrevention yes
# Toggles extra scanning and notifications when a file or directory is created or moved.
# Requires the DDD system to kick-off extra scans.
# (On-access scan only)
# Default: no
#OnAccessExtraScanning yes
##
## Bytecode
##
# With this option enabled ClamAV will load bytecode from the database.
# It is highly recommended you keep this option on, otherwise you'll miss detections for many new viruses.
# Default: yes
#Bytecode yes
# Set bytecode security level.
# Possible values:
# None - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS
# This value is only available if clamav was built with --enable-debug!
# TrustSigned - trust bytecode loaded from signed .c[lv]d files,
# insert runtime safety checks for bytecode loaded from other sources
# Paranoid - don't trust any bytecode, insert runtime checks for all
# Recommended: TrustSigned, because bytecode in .cvd files already has these checks
# Note that by default only signed bytecode is loaded, currently you can only
# load unsigned bytecode in --enable-debug mode.
#
# Default: TrustSigned
#BytecodeSecurity TrustSigned
# Set bytecode timeout in miliseconds.
#
# Default: 5000
# BytecodeTimeout 1000
##
## Statistics gathering and submitting
##
# Enable statistical reporting.
# Default: no
#StatsEnabled yes
# Disable submission of individual PE sections for files flagged as malware.
# Default: no
#StatsPEDisabled yes
# HostID in the form of an UUID to use when submitting statistical information.
# Default: auto
#StatsHostID auto
# Time in seconds to wait for the stats server to come back with a response
# Default: 10
#StatsTimeout 10

69
cloud/cloud.cfg.rpmsave
View File

@@ -1,69 +0,0 @@
users:
- default
disable_root: 1
ssh_pwauth: 0
mount_default_fields: [~, ~, 'auto', 'defaults,nofail,x-systemd.requires=cloud-init.service', '0', '2']
resize_rootfs_tmp: /dev
ssh_deletekeys: 0
ssh_genkeytypes: ~
syslog_fix_perms: ~
disable_vmware_customization: false
cloud_init_modules:
- disk_setup
- migrator
- bootcmd
- write-files
- growpart
- resizefs
- set_hostname
- update_hostname
- update_etc_hosts
- rsyslog
- users-groups
- ssh
cloud_config_modules:
- mounts
- locale
- set-passwords
- rh_subscription
- yum-add-repo
- package-update-upgrade-install
- timezone
- puppet
- chef
- salt-minion
- mcollective
- disable-ec2-metadata
- runcmd
cloud_final_modules:
- rightscale_userdata
- scripts-per-once
- scripts-per-boot
- scripts-per-instance
- scripts-user
- ssh-authkey-fingerprints
- keys-to-console
- phone-home
- final-message
- power-state-change
system_info:
default_user:
name: centos
lock_passwd: true
gecos: Cloud User
groups: [adm, systemd-journal]
sudo: ["ALL=(ALL) NOPASSWD:ALL"]
shell: /bin/bash
distro: rhel
paths:
cloud_dir: /var/lib/cloud
templates_dir: /etc/cloud/templates
ssh_svcname: sshd
# vim:syntax=yaml

6
csf/csf.deny
View File

@@ -15,9 +15,6 @@
# tcp/udp|in/out|s/d=port,port,...|s/d=ip
#
# See readme.txt for more information regarding advanced port filtering
157.230.254.228 # lfd: (PERMBLOCK) 157.230.254.228 (SG/Singapore/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Mon Apr 3 18:53:06 2023
187.200.204.33 # lfd: (PERMBLOCK) 187.200.204.33 (MX/Mexico/México/Toluca/dsl-187-200-204-33-dyn.prod-infinitum.com.mx) has had more than 2 temp blocks in the last 86400 secs - Mon Apr 3 18:57:41 2023
125.143.128.117 # lfd: (PERMBLOCK) 125.143.128.117 (KR/South Korea/Seoul/Seoul/-) has had more than 2 temp blocks in the last 86400 secs - Mon Apr 3 19:17:38 2023
186.127.72.32 # lfd: (PERMBLOCK) 186.127.72.32 (AR/Argentina/Buenos Aires/La Plata/host32.186-127-72.telecom.net.ar) has had more than 2 temp blocks in the last 86400 secs - Mon Apr 3 19:19:03 2023
185.228.135.38 # lfd: (PERMBLOCK) 185.228.135.38 (RU/Russia/Krasnodar Krai/Krasnodar/-) has had more than 2 temp blocks in the last 86400 secs - Mon Apr 3 22:49:46 2023
5.135.179.178 # lfd: (PERMBLOCK) 5.135.179.178 (FR/France/Oise/Fosseuse/ns3287787.ip-5-135-179.eu) has had more than 2 temp blocks in the last 86400 secs - Mon Apr 3 22:54:51 2023
@@ -1014,3 +1011,6 @@
93.219.101.120 # lfd: (PERMBLOCK) 93.219.101.120 (DE/Germany/Baden-Wurttemberg/Geislingen an der Steige/-) has had more than 2 temp blocks in the last 86400 secs - Thu Jun 15 03:10:34 2023
fe80::18b5:110b:55f:2940 # lfd: (PERMBLOCK) fe80::18b5:110b:55f:2940 (Unknown) has had more than 2 temp blocks in the last 86400 secs - Fri Jun 16 00:40:54 2023
fe80::45e:3b4d:3a8f:184a # lfd: (PERMBLOCK) fe80::45e:3b4d:3a8f:184a (Unknown) has had more than 2 temp blocks in the last 86400 secs - Fri Jun 16 04:44:10 2023
fe80::1c34:5012:f183:9da # lfd: (PERMBLOCK) fe80::1c34:5012:f183:9da (Unknown) has had more than 2 temp blocks in the last 86400 secs - Mon Jun 19 07:45:25 2023
fe80::817:8a6a:f69d:36ab # lfd: (PERMBLOCK) fe80::817:8a6a:f69d:36ab (Unknown) has had more than 2 temp blocks in the last 86400 secs - Wed Jun 21 07:48:49 2023
fe80::8e6:3998:39c:ed5e # lfd: (PERMBLOCK) fe80::8e6:3998:39c:ed5e (Unknown) has had more than 2 temp blocks in the last 86400 secs - Fri Jun 23 03:07:14 2023

1
csf/csf.ignore
View File

@@ -46,3 +46,4 @@
188.25.145.26
5.12.16.177
5.12.35.96

2437
cxs/changelog.txt
View File

File diff suppressed because it is too large Load Diff

50
cxs/cpanelsuspend.example.pl
View File

@@ -1,50 +0,0 @@
#!/usr/local/cpanel/3rdparty/bin/perl
#******************************************************************************
# Copyright 2009-2016, Way to the Web Limited
# URL: http://www.waytotheweb.com
# Email: sales@waytotheweb.com
#******************************************************************************
# Example cPanel Account Suspend Script when using --all
#
# NOTE: If you intend to use this script, copy it to a different filename as
# this file will be overwritten when cxs upgrades
use strict;
# Set to 1 to have more verbose output
my $verbose = 0;
# Check we have all arguments
if (@ARGV < 4) {print "\ncpanelsuspend.pl: Not enough Args to suspend: @ARGV\n"; exit}
# Check we are running as root
if ($< != 0) {print "\ncpanelsuspend.pl: Not root ($<)\n"; exit}
# Assign arguments to variables
my $filename = $ARGV[0];
my $option = $ARGV[1];
my $message = $ARGV[2];
my $account = $ARGV[3];
# If option is a Virus or Known Exploit
if ($option =~ /v|M$/) {
# if this is definitely a cPanel account
if (-e "/var/cpanel/users/$account") {
# If this account is not already suspended
unless (-e "/var/cpanel/suspended/$account") {
print "\n\ncpanelsuspend.pl: Suspending Account $account...\n";
# Suspend the account
system("/scripts/suspendacct","$account");
print "\n";
} else {if ($verbose) {print "\ncpanelsuspend.pl: Already Suspended\n"}}
} else {if ($verbose) {print "\ncpanelsuspend.pl: Not a cPanel account ($account)\n"}}
} else {if ($verbose) {print "\ncpanelsuspend.pl: Not a suspend option ($option)\n"}}
exit;

129
cxs/csfajaxtail.js
View File

@@ -1,129 +0,0 @@
//#############################################################################
//# Copyright 2006-2016, Way to the Web Limited
//# URL: http://www.configserver.com
//# Email: sales@waytotheweb.com
//#############################################################################
var CSFscript = '';
var CSFcountval = 6;
var CSFlineval = 100;
var CSFcounter;
var CSFcount = 1;
var CSFpause = 0;
var CSFfrombot = 120;
var CSFfromright = 10;
var CSFsettimer = 1;
var CSFheight = 0;
var CSFwidth = 0;
var CSFajaxHTTP = CSFcreateRequestObject();
function CSFcreateRequestObject() {
var CSFajaxRequest;
if (window.XMLHttpRequest) {
CSFajaxRequest = new XMLHttpRequest();
}
else if (window.ActiveXObject) {
CSFajaxRequest = new ActiveXObject("Microsoft.XMLHTTP");
}
else {
alert('There was a problem creating the XMLHttpRequest object in your browser');
CSFajaxRequest = '';
}
return CSFajaxRequest;
}
function CSFsendRequest(url) {
var now = new Date();
CSFajaxHTTP.open('get', url + '&nocache=' + now.getTime());
CSFajaxHTTP.onreadystatechange = CSFhandleResponse;
CSFajaxHTTP.send();
document.getElementById("CSFrefreshing").style.display = "inline";
}
function CSFhandleResponse() {
if(CSFajaxHTTP.readyState == 4 && CSFajaxHTTP.status == 200){
var response = CSFajaxHTTP.responseText;
if(response) {
var CSFobj = document.getElementById("CSFajax");
CSFobj.innerHTML = CSFajaxHTTP.responseText;
windowSize();
if (CSFheight > 0) {CSFobj.style.height = (CSFheight - CSFobj.offsetTop - CSFfrombot) + "px";}
if (CSFwidth > 0) {CSFobj.style.width = (CSFwidth - CSFobj.offsetLeft - CSFfromright) + "px";}
CSFobj.scrollTop = CSFobj.scrollHeight;
document.getElementById("CSFrefreshing").style.display = "none";
if (CSFsettimer) {CSFcounter = setInterval(CSFtimer, 1000);}
}
}
}
function CSFgrep() {
var CSFlogobj = document.getElementById("CSFlognum");
var CSFlognum;
if (CSFlogobj) {CSFlognum = '&lognum=' + CSFlogobj.options[CSFlogobj.selectedIndex].value}
else {CSFlognum = ""}
if (document.getElementById("CSFgrep_i").checked) {CSFlognum = CSFlognum + "&grepi=1"}
if (document.getElementById("CSFgrep_E").checked) {CSFlognum = CSFlognum + "&grepE=1"}
var CSFurl = CSFscript + '&grep=' + document.getElementById("CSFgrep").value + CSFlognum;
if (document.getElementById("CSFgrep_D").checked) {
window.open(CSFurl);
} else {
CSFsendRequest(CSFurl);
}
}
function CSFtimer() {
if (CSFpause) {return}
CSFcount = CSFcount - 1;
document.getElementById("CSFtimer").innerHTML = CSFcount;
if (CSFcount <= 0) {
clearInterval(CSFcounter);
var CSFlogobj = document.getElementById("CSFlognum");
var CSFlognum;
if (CSFlogobj) {CSFlognum = '&lognum=' + CSFlogobj.options[CSFlogobj.selectedIndex].value}
else {CSFlognum = ""}
CSFsendRequest(CSFscript + '&lines=' + document.getElementById("CSFlines").value + CSFlognum);
CSFcount = CSFcountval;
return;
}
}
function CSFpausetimer() {
if (CSFpause) {
CSFpause = 0;
document.getElementById("CSFpauseID").innerHTML = "Pause";
}
else {
CSFpause = 1;
document.getElementById("CSFpauseID").innerHTML = "Continue";
}
}
function CSFrefreshtimer() {
var pause = CSFpause;
CSFcount = 1;
CSFpause = 0;
CSFtimer();
CSFpause = pause;
CSFcount = CSFcountval - 1;
document.getElementById("CSFtimer").innerHTML = CSFcount;
}
function windowSize() {
if( typeof( window.innerHeight ) == 'number' ) {
CSFheight = window.innerHeight;
CSFwidth = window.innerWidth;
}
else if (document.documentElement && (document.documentElement.clientHeight)) {
CSFheight = document.documentElement.clientHeight;
CSFwidth = document.documentElement.clientWidth;
}
else if (document.body && (document.body.clientHeight)) {
CSFheight = document.body.clientHeight;
CSFwidth = document.body.clientWidth;
}
}
//#############################################################################
//# Copyright 2006-2016, Way to the Web Limited
//# URL: http://www.configserver.com
//# Email: sales@waytotheweb.com
//#############################################################################

BIN
cxs/cxs.data
View File

Binary file not shown.

1
cxs/cxs.default
View File

@@ -1 +0,0 @@
ignore=/etc/cxs/cxs.ignore

1
cxs/cxs.defaults.example
View File

@@ -1 +0,0 @@
ignore=/etc/cxs/cxs.ignore

BIN
cxs/cxs.fp
View File

Binary file not shown.

85
cxs/cxs.ignore
View File

@@ -1,85 +0,0 @@
###############################################################################
# Copyright 2009-2016, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# The following is a list of files, directories, users and regex matches that
# cxs will ignore.
#
# You must use the following format:
#
# user: - ignore user
# file: - ignore file
# dir: - ignore directory
# sym: - ignore symlink
# script: - ignore web script (ModSecurity hook)
#
# puser: - regex of users to ignore
# pfile: - regex of files to ignore
# pdir: - regex of directories to ignore
# psym: - regex of symlinks to ignore
# pscript: - regex of web script to ignore (ModSecurity hook)
#
# The following do not apply to web script uploads via ModSecurity hook:
# hfile: - ignore file relative to a users homedir
# hdir: - ignore directory relative to a users homedir
# hsym: - ignore symlink relative to a users homedir
#
# match: - ignore regex pattern match
# md5sum: - ignore file md5sum
# fp: - ignore fingerprint match
#
# The following only apply to web and ftp script uploads:
# ip: - ignore uploads from IP address
#
# You can include additional entries using external files with:
# Include /path/to/cxs.altignore
#
hdir:/etc
hdir:/mail
hdir:/tmp
hdir:/.cagefs
hdir:/.fantasticodata
hdir:/.rvsitebuilder
hdir:/.sqmaildata
hdir:/.trash
hdir:/.quarantine
hdir:/quarantine_clamavconnector
hsym:/access-logs
hfile:/public_html/cgi-bin/randhtml.cgi
hfile:/public_html/cgi-bin/entropybanner.cgi
hfile:/public_html/cgi-bin/cgiemail
hfile:/public_html/cgi-bin/cgiecho
hfile:/public_html/cgi-bin/cpdownload/cpaneldownacct.cgi
hfile:/public_html/cgi-bin/cpdownload/cpaneldownload.cgi
hfile:/public_html/cgi-bin/cpdownload/cpanelkill.cgi
hfile:/public_html/cgi-bin/cpdownload/cpanelwrap.c
hfile:/public_html/cgi-bin/cpdownload/cpanelwrap.cgi
pfile:^/tmp/clamav-.*
pdir:^/tmp/clamav-.*
pfile:^/tmp/cxs_.*
md5sum:f3c8aaf882d1ed25a7f5fe7fd2ee4d9d
match:symlink\s*\(
# ignore specific file types
pfile:.*\.xap$
pfile:.*\.jpg$
pfile:.*\.jp2$
pfile:.*\.jpeg$
pfile:.*\.bmp$
pfile:.*\.gif$
pfile:.*\.tif$
pfile:.*\.flv$
pfile:.*\.mp2$
pfile:.*\.mp3$
pfile:.*\.mp4$
pfile:.*\.wav$
pfile:.*\.avi$
pfile:.*\.mov$
pfile:.*\.pdf$
pfile:.*\.doc$
pfile:.*\.docx$
pfile:.*\.xls$
pfile:.*\.ppt$
pfile:.*\.txt$

61
cxs/cxs.ignore.example
View File

@@ -1,61 +0,0 @@
###############################################################################
# Copyright 2009-2016, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# The following is a list of files, directories, users and regex matches that
# cxs will ignore.
#
# You must use the following format:
#
# user: - ignore user
# file: - ignore file
# dir: - ignore directory
# sym: - ignore symlink
# script: - ignore web script (ModSecurity hook)
#
# puser: - regex of users to ignore
# pfile: - regex of files to ignore
# pdir: - regex of directories to ignore
# psym: - regex of symlinks to ignore
# pscript: - regex of web script to ignore (ModSecurity hook)
#
# The following do not apply to web script uploads via ModSecurity hook:
# hfile: - ignore file relative to a users homedir
# hdir: - ignore directory relative to a users homedir
# hsym: - ignore symlink relative to a users homedir
#
# match: - ignore regex pattern match
# md5sum: - ignore file md5sum
# fp: - ignore fingerprint match
#
# The following only apply to web and ftp script uploads:
# ip: - ignore uploads from IP address
#
# You can include additional entries using external files with:
# Include /path/to/cxs.altignore
#
hdir:/etc
hdir:/mail
hdir:/tmp
hdir:/.cagefs
hdir:/.fantasticodata
hdir:/.rvsitebuilder
hdir:/.sqmaildata
hdir:/.trash
hdir:/.quarantine
hdir:/quarantine_clamavconnector
hsym:/access-logs
hfile:/public_html/cgi-bin/randhtml.cgi
hfile:/public_html/cgi-bin/entropybanner.cgi
hfile:/public_html/cgi-bin/cgiemail
hfile:/public_html/cgi-bin/cgiecho
hfile:/public_html/cgi-bin/cpdownload/cpaneldownacct.cgi
hfile:/public_html/cgi-bin/cpdownload/cpaneldownload.cgi
hfile:/public_html/cgi-bin/cpdownload/cpanelkill.cgi
hfile:/public_html/cgi-bin/cpdownload/cpanelwrap.c
hfile:/public_html/cgi-bin/cpdownload/cpanelwrap.cgi
pfile:^/tmp/clamav-.*
pdir:^/tmp/clamav-.*
pfile:^/tmp/cxs_.*
md5sum:f3c8aaf882d1ed25a7f5fe7fd2ee4d9d

39
cxs/cxs.monitor.example
View File

@@ -1,39 +0,0 @@
###############################################################################
# Copyright 2009-2016, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# The following is a list of files and directories for cxs Watch to monitor.
# The feature is intended to only monitor a small number of infrequently used
# files or small directories and generate reports of the changes
#
# You must use the following format of one record per line:
#
# options|interval|/path/to/resource
#
# options (standard):
# C = Created
# M = Modified
# A = Attributes Changed
# D = Deleted
#
# options (additional):
# 5 = Compare before and after file md5sums - not recommended with large files
# or directories that could affect performance
# X = Compare before and after file contents (creates diff output) when
# modified - not generally recommended due to memory requirements
# Q = Store a copy of before and after files in quarantine when modified - not
# generally recommended as it may impact disk space
# L = Log continuous report to /var/log/cxsmonitor.log
#
# interval:
# Seconds before a report is sent (i.e. not sent less than NN seconds apart),
# e.g. 60 will not send report less than 1 minute apart
#
# /path/to/resource:
# The full path to a file or directory to monitor
#
# Example to monitor cron job changes and report not more that once per minute:
#CMAD|60|/var/spool/cron/
#
# For more information see the cxs POD documentation

1933
cxs/cxs.pl
View File

File diff suppressed because one or more lines are too long

1558
cxs/cxs.pod
View File

File diff suppressed because it is too large Load Diff

0
cxs/cxs.sec
View File

BIN
cxs/cxs.sver
View File

Binary file not shown.

11
cxs/cxs.template.example
View File

@@ -1,11 +0,0 @@
From: [from]
To: [to]
CC: [user]
Subject: cxs Scan on [hostname] (Hits:[hits]) (Viruses:[viruses]) (Fingerprints:[fingerprints])
Time : [time]
User Contact: [user]
The following has been reported by the ConfigServer eXploit Scanner running on [hostname]:
[text]

33
cxs/cxs.xtra
View File

@@ -1,33 +0,0 @@
###############################################################################
# Copyright 2009-2016, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# The following is a list of regular expression matches and filenames that
# cxs will additionally scan for, one per line.
#
# You must use the following format:
#
# regall: - regular expression match for all script files
# regphp: - regular expression match for only php script files
# regperl: - regular expression match for only perl script files
# regfile: - regular expression match for a file or directory name
# file: - file or directory name match (not a regex)
# md5sum: - md5sum of a file to match as: Known exploit = [Fingerprint Match]
#
# Examples:
# regall:/etc/passwd
# regfile:\.pl$
# file:r00t.php
#
# To force quarantine of a file when using --quarantine, prefix the match with
# "quarantine:", e.g.:
#
# regall:quarantine:/etc/passwd
# regfile:quarantine:\.pl$
# file:quarantine:r00t.php
#
# You can include additional entries using external files with:
# Include /path/to/cxs.altxtra
#
# Note: All regex's must be properly specified and escaped to work correctly

33
cxs/cxs.xtra.example
View File

@@ -1,33 +0,0 @@
###############################################################################
# Copyright 2009-2016, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# The following is a list of regular expression matches and filenames that
# cxs will additionally scan for, one per line.
#
# You must use the following format:
#
# regall: - regular expression match for all script files
# regphp: - regular expression match for only php script files
# regperl: - regular expression match for only perl script files
# regfile: - regular expression match for a file or directory name
# file: - file or directory name match (not a regex)
# md5sum: - md5sum of a file to match as: Known exploit = [Fingerprint Match]
#
# Examples:
# regall:/etc/passwd
# regfile:\.pl$
# file:r00t.php
#
# To force quarantine of a file when using --quarantine, prefix the match with
# "quarantine:", e.g.:
#
# regall:quarantine:/etc/passwd
# regfile:quarantine:\.pl$
# file:quarantine:r00t.php
#
# You can include additional entries using external files with:
# Include /path/to/cxs.altxtra
#
# Note: All regex's must be properly specified and escaped to work correctly

BIN
cxs/cxs/images/cxs_small.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 4.8 KiB

BIN
cxs/cxs/images/icon.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 811 B

50
cxs/cxs/index.cgi
View File

@@ -1,50 +0,0 @@
#!/usr/bin/perl
###############################################################################
# Copyright 2009-2013, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# start main
use strict;
use File::Find;
use Fcntl qw(:DEFAULT :flock);
use Sys::Hostname qw(hostname);
use IPC::Open3;
use File::Copy;
use Digest::MD5;
our ($script, $script_da, $images, %FORM, $myv, %in);
my ($childin, $childout);
my $pid = open3($childin, $childout, $childout, "/usr/sbin/cxs --version");
my @data = <$childout>;
waitpid ($pid, 0);
chomp @data;
if ($data[0] =~ /v(.*)$/) {$myv = $1}
$script = "/cxs/index.cgi";
$images = "/cxs/images";
print "Content-type: text/html\r\n\r\n";
do '../web-lib.pl';
&init_config();
&ReadParse();
%FORM = %in;
print <<EOF;
<!DOCTYPE html>
<HTML>
<HEAD>
<TITLE>ConfigServer Security & Firewall</TITLE>
</HEAD>
<BODY>
EOF
unless ($FORM{action} eq "tailcmd" or $FORM{action} eq "logtailcmd") {
print "<img src='images/cxs_small.png' align='absmiddle' /> <b style='font-size: 16px'>ConfigServer Exploit Scanner - cxs v$myv</b>";
}
do "/etc/cxs/cxsui.pl";
print "</BODY>\n</HTML>\n";
1;

3
cxs/cxs/module.info
View File

@@ -1,3 +0,0 @@
name=cxs
desc=ConfigServer Exploit Scanner
category=system

20
cxs/cxscgi.sh
View File

@@ -1,20 +0,0 @@
#!/bin/sh
###############################################################################
# Copyright 2009-2016, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# The option --cgi MUST be used on the cxs command line here
#
# Examples (only use ONE line for cxs scanning):
#/usr/sbin/cxs --quiet --cgi --smtp --mail root "$1"
#/usr/sbin/cxs --quiet --cgi --smtp --mail root --quarantine /home/safe/ "$1"
#/usr/sbin/cxs --quiet --cgi --delete --logfile /var/log/cxs.log --cleanlog "$1"
#
# If you use --logfile, remember to chmod 666 [file] to allow write access
#
# You should include --smtp to allow the nobody user (which ModSecurity runs
# under) to send email.
#/usr/sbin/cxs --quiet --cgi --smtp --mail root "$1"
/usr/sbin/cxs --quiet --cgi --block --smtp --mail csf@gazduire.ro --qoptions mMOfSGchdnTv -I /etc/cxs/cxs.ignore --logfile /var/log/cxs.log "$1"

54
cxs/cxschroot.sh
View File

@@ -1,54 +0,0 @@
#!/bin/sh
###############################################################################
# Copyright 2009-2016, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# Experimental procedure to create a chroot environment for script decoding
DESTDIR="/home/cxschroot"
echo -n "Preparing chroot environment..."
mkdir -p $DESTDIR/sys
mkdir -p $DESTDIR/proc
mkdir -p $DESTDIR/dev
mkdir -p $DESTDIR/etc
mkdir -p $DESTDIR/tmp
mkdir -p $DESTDIR/lib
mkdir -p $DESTDIR/lib64
cp /lib/libgcc* $DESTDIR/lib/
if [ -d "/lib64/" ]; then
cp /lib64/libgcc* $DESTDIR/lib64/
fi
echo "DONE"
echo -n "Copying files..."
for prog in /bin/bash /bin/ls /usr/bin/id /usr/local/bin/php /usr/bin/php; do
if [ -e $prog ]; then
mkdir -p $DESTDIR/`dirname $prog`
cp $prog $DESTDIR/$prog
for lib in `ldd $prog |sed -rn 's/[^\/]*(.*\/lib.*\/[^ ]*).*/\1/gp'`; do
mkdir -p $DESTDIR/`dirname $lib`
cp $lib $DESTDIR/$lib
done
fi
done
echo "DONE"
echo "Adding cxschroot user..."
useradd -M -s /bin/false cxschroot
chown cxschroot:cxschroot $DESTDIR/tmp
echo "DONE"
echo "Block outgoing connections by cxschroot in csf..."
echo '#!/bin/bash
/sbin/iptables -I OUTPUT -m owner --uid-owner cxschroot -j DROP
' >> /etc/csf/csfpost.sh
chmod +x /etc/csf/csfpost.sh
/sbin/iptables -I OUTPUT -m owner --uid-owner cxschroot -j DROP
echo "DONE"
echo
echo "You should now be able to use : cxs --chroot /home/cxschroot --chuser cxschroot ..."
echo "You can test the chroot environment using: cxs --chroot /home/cxschroot --chuser cxschroot --chtest"
echo

28
cxs/cxscron.txt
View File

@@ -1,28 +0,0 @@
Taken from man -s5 crontab:
<p>Commands are executed by cron when the minute, hour, and month of year fields match the current time, and at least one of the two day fields (day of month, or day of week) match the current time (see "Note" below). Note that this means that non-existent times, such as "missing hours" during daylight savings conversion, will never match, causing jobs scheduled during the "missing times" not to be run. Similarly, times that occur more than once (again, during daylight savings conversion) will cause matching jobs to be run twice.</p>
<p>cron examines cron entries once every minute.</p>
<p>The time and date fields are:</p>
<pre>
field allowed values
----- --------------
minute 0-59
hour 0-23
day of month 1-31
month 1-12 (or names, see below)
day of week 0-7 (0 or 7 is Sun, or use names)
</pre>
<p>A field may be an asterisk (*), which always stands for "first-last".</p>
<p>Ranges of numbers are allowed. Ranges are two numbers separated with a hyphen. The specified range is inclusive. For example, 8-11 for an "hours" entry specifies execution at hours 8, 9, 10 and 11.</p>
<p>Lists are allowed. A list is a set of numbers (or ranges) separated by commas. Examples: "1,2,5,9", "0-4,8-12".</p>
<p>Step values can be used in conjunction with ranges. Following a range with "<number>" specifies skips of the number's value through the range. For example, "0-23/2" can be used in the hours field to specify command execution every other hour (the alternative in the V7 standard is "0,2,4,6,8,10,12,14,16,18,20,22"). Steps are also permitted after an asterisk, so if you want to say "every two hours", just use "*/2".</p>
<p>Names can also be used for the "month" and "day of week" fields. Use the first three letters of the particular day or month (case doesn't matter). Ranges or lists of names are not allowed.<p>
<p>The "sixth" field (the rest of the line) specifies the command to be run. The entire command portion of the line, up to a newline or % character, will be executed by /bin/sh or by the shell specified in the SHELL variable of the cronfile. Percent-signs (%) in the command, unless escaped with backslash (\), will be changed into newline characters, and all data after the first % will be sent to the command as standard input.</p>
<p>Note: The day of a command's execution can be specified by two fields: day of month, and day of week. If both fields are restricted (ie, aren't *), the command will be run when either field matches the current time. For example, "30 4 1,15 * 5" would cause a command to be run at 4:30 am on the 1st and 15th of each month, plus every Friday.</p>

17
cxs/cxsdaily.sh
View File

@@ -1,17 +0,0 @@
#!/bin/sh
###############################################################################
# Copyright 2009-2016, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# Run this script via cron daily
# Daily update of cxs and/or fingerprint definitions
/usr/sbin/cxs --upgrade --quiet
# Daily cleanup of quarantine if used. Modify to specify your quarantine
# directory and duplicate if you use more than one.
#
# Set --qclean to the number of days to retain, e.g. 7 = one week
/usr/sbin/cxs --qclean 7 --quarantine /home/quarantine --quiet

18
cxs/cxsftp.sh
View File

@@ -1,18 +0,0 @@
#!/bin/sh
###############################################################################
# Copyright 2009-2016, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# The option --ftp MUST be used on the cxs command line here
#
# Examples (only use ONE line for cxs scanning):
#/usr/sbin/cxs --quiet --ftp --mail root "$1"
#/usr/sbin/cxs --quiet --ftp --mail root --quarantine /home/safe/ "$1"
#/usr/sbin/cxs --quiet --ftp --mail root --quarantine /home/safe/ --block "$1"
#/usr/sbin/cxs --quiet --ftp --logfile /var/log/cxs.log "$1"
#
# If you use --logfile, remember to chmod 666 [file] to allow write access
#/usr/sbin/cxs --quiet --ftp --smtp --mail root "$1"
/usr/sbin/cxs --quiet --ftp --exploitscan --virusscan --block --smtp --mail csf@gazduire.ro -I /etc/cxs/cxs.ignore --logfile /var/log/cxs.log --quarantine /home/quarantine/ --qoptions Mfchv -C /tmp/ clamd -E "$1"

24
cxs/cxsui.pl
View File

File diff suppressed because one or more lines are too long

19
cxs/cxswatch.sh
View File

@@ -1,19 +0,0 @@
#!/bin/sh
###############################################################################
# Copyright 2009-2016, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# The option --Wstart MUST be used on the cxs command line here
#
# Examples (only use ONE line for cxs scanning):
#/usr/sbin/cxs --Wstart --allusers --mail root
#/usr/sbin/cxs --Wstart --allusers --www --mail root --quarantine /home/safe/ --qoptions Mv --Wadd /etc/cxs/cxs.wadd
#
# We would recommend using --qoptions Mv initially if you use --quarantine
# otherwise you might find cxs quarantining files that you do not want to.
# For example, you probably do NOT want to quarantine all script files (T)!
#
#/usr/sbin/cxs --options -wW --Wstart --allusers --www --smtp --mail root --Wmaxchild 3 --Wloglevel 0 --Wsleep 3 --filemax 0 --Wrateignore 300
/usr/sbin/cxs --Wstart --allusers --www --exploitscan --virusscan --block --smtp --mail csf@gazduire.ro -Q /home/quarantine/ -I /etc/cxs/cxs.ignore --options mMvOfuSGchnZRD --qoptions mMfcv -C /tmp/clamd --Wmaxchild 1 --Wloglevel 0 --Wsleep 5 --filemax 0 --Wrateignore 300 --Wsymlink /etc/cxs/symlinkdisable.pl

BIN
cxs/cxswebmin.tgz
View File

Binary file not shown.

55
cxs/htaccessdisable.example.pl
View File

@@ -1,55 +0,0 @@
#!/usr/local/cpanel/3rdparty/bin/perl
#******************************************************************************
# Copyright 2009-2016, Way to the Web Limited
# URL: http://www.waytotheweb.com
# Email: sales@waytotheweb.com
#******************************************************************************
# Example to disable a directory containing a match using a .htaccess file
#
# NOTE: If you intend to use this script, copy it to a different filename as
# this file will be overwritten when cxs upgrades
use strict;
use File::Basename;
# Set to 1 to have more verbose output
my $verbose = 0;
if (@ARGV < 2) {print "\ncpanelsuspend.pl: Not enough Args to suspend: @ARGV\n"; exit}
# Assign arguments to variables
my $filename = $ARGV[0];
my $option = $ARGV[1];
my $message = $ARGV[2];
my $account = $ARGV[3];
# Get the directory name from the file name
my $dirname = dirname($filename);
# If option is a Virus or Known Exploit
if ($option =~ /v|M$/) {
# Check we have a directory
if (-d $dirname) {
# Check that we haven't already disabled a .htaccess file in this directory
if (!(-e "$dirname/.htaccess.cxs_disable") and -e "$dirname/.htaccess") {
system("/bin/cp","-a","$dirname/.htaccess","$dirname/.htaccess.cxs_disable");
}
elsif (-e "$dirname/.htaccess.cxs_disable" and !(-e "$dirname/.htaccess")) {
unlink("$dirname/.htaccess.cxs_disable");
}
# Write out a new .htaccess file denying access
open (my $HTACCESS, ">", "$dirname/.htaccess") or die "htaccessdisable.pl: Unable to create [$dirname/.htaccess] - $!";
print $HTACCESS "#cxs has disabled web access to this directory\n";
print $HTACCESS "deny from all\n";
close ($HTACCESS) or die "htaccessdisable.pl: Unable to create [$dirname/.htaccess] - $!";
if ($verbose) {print "\nhtaccessdisable.pl: Directory [$dirname] disabled\n"}
} else {if ($verbose) {print "\nhtaccessdisable.pl: Directory for [$filename] does not exist\n"}}
} else {if ($verbose) {print "\nhtaccessdisable.pl: Not a suspend option ($option)\n"}}
exit;

151
cxs/install.txt
View File

@@ -1,151 +0,0 @@
###############################################################################
# Copyright 2009-2016, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
Installation
============
1. Product installation:
wget http://download.configserver.com/cxsinstaller.tgz
tar -xzf cxsinstaller.tgz
perl cxsinstaller.pl
rm -fv cxsinstaller.*
2. You should now read the cxs documentation either through:
1. The UI
2. # perldoc cxs
3. # cxs --help
If you decide to use the cxs Watch daemon you can skip items 3 to 5. Instead,
read the documentation under the cxs Watch Daemon section on using this method.
To install the required perl module for the cxs Watch daemon on a cPanel server
you can use:
/scripts/perlinstaller Linux::Inotify2
3. You will want to modify the following files to suit your requirements after
you have read the cxs documentation and studied the CLI option. These files
can be changed at any time and contain the cxs commands and options you want
to use for scanning files as they are uploaded:
The pure-ftpd upload scanner script that runs cxs:
/etc/cxs/cxsftp.sh
The web script upload scanner script that runs cxs:
/etc/cxs/cxscgi.sh
4. Web script upload scanning is performed via mod_security.
This can be enabled two ways:
a. Add the following two lines (be careful of line breaks) to your mod_security
rules file (/usr/local/apache/conf/modsec2.user.conf on cPanel):
SecRequestBodyAccess On
SecRule FILES_TMPNAMES "@inspectFile /etc/cxs/cxscgi.sh" \
"log,auditlog,deny,severity:2,phase:2,t:none,id:'1010101'"
SecUploadKeepFiles RelevantOnly
SecTmpDir /tmp
If you allow the uploading of very large files, you may need to
increase the default mod_security allowable size of 128MB by using the
SecRequestBodyLimit directive after SecRequestBodyAccess:
SecRequestBodyLimit 134217728
This value is in bytes (134217728 = 128MB). You might also want to
create the temporary files in a directory other than /tmp using:
SecTmpDir /path/to/dir
Where /path/to/dir is a directory where the large files can be
temporarily stored and must be writable to by the nobody user
Then restart httpd
b. Use the inbuilt cPanel ModSecurity Vendor Rules mechanism by either:
1. WHM > ModSecurity Vendors > Add Vendor > Vendor Configuration URL
https://download.configserver.com/waf/meta_configserver.yaml
Save and then restart httpd
or
2. Issue the following commands:
/scripts/modsec_vendor add https://download.configserver.com/waf/meta_configserver.yaml
/scripts/modsec_vendor enable configserver
Then restart httpd
You can have the ConfigServer Vendor enabled along with any other Vendor
that you may already be using.
5. Pure-ftpd upload scanning requires you to edit the active pure-ftpd.conf
(e.g. /etc/pure-ftpd.conf) and adding/modifying the line:
CallUploadScript yes
Note: Pure-ftpd must be compiled with --with-uploadscript option (usually
done by default)
On Linux:
Then restart pure-ftpd and pure-uploadscript. The installation process adds
a new service in /etc/init.d/pure-uploadscript which runs as a daemon and
passes ftp uploads to /etc/cxs/cxsftp.sh
On FreeBSD:
Then add the following lines to /etc/rc.conf:
pureftpd_enable="YES"
pureftpd_upload_enable="YES"
pureftpd_uploadscript="/etc/cxs/cxsftp.sh"
Then restart pure-ftpd
6. ClamAV scanning requires a running clamd daemon. By default cxs will look
for the clamd socket at /tmp/clamd and /var/clamd, if it is located
elsewhere then you must use the --clamdsock option and pass the socket
location in every cxs call (i.e. in cxsftp.sh, cxscgi.sh and the cxs CLI) or
use a cxs.defaults file.
7. If you want automatic updates then use the following as an example:
ln -s /etc/cxs/cxsdaily.sh /etc/cron.daily/
8. You can test ModSecurity upload checks by running the following command
which will trigger the cxs ModSecurity rule if correctly configured:
curl -F "file=@/etc/cxs/test/testexploit.php" 127.0.0.1
To test FTP uploads, download /etc/cxs/test/testexploit.php and then upload
using ftp.
9. See the RECOMMENDATIONS in the cxs POD documentation
Webmin Module Installation/Upgrade (not yet implemented)
==================================
To install or upgrade the cxs webmin module:
Install cxs as above
Install the cxs webmin module in:
Webmin > Webmin Configuration > Webmin Modules >
From local file > /etc/cxs/cxswebmin.tgz > Install Module
Uninstallation
==============
Reverse items 4, 5 and 7 above, then:
cd /etc/cxs
sh uninstall.sh
cd /root

223
cxs/license.txt
View File

@@ -1,223 +0,0 @@
Way to the Web Product License
LICENCE TERMS AND CONDITIONS
1. LICENCE
1.1 Way to the Web Limited of 73, Donaldson Way, Woodley,
Reading, Berkshire, RG5 4XL ("Way to the Web") hereby grants
you a non-exclusive, non-transferable licence to download and
use (the "Product") and the accompanying documentation (the
"Documentation") on the following terms.
1.2 The copyright and all other rights in the Product and the
Documentation remain with Way to the Web.
2. ACCEPTANCE
You are deemed to have accepted the terms and conditions of this
Licence by downloading the Product.
3. SCOPE OF LICENCE
3.1 You shall not:
3.1.1 modify, adapt, merge, translate, decompile,
disassemble, or reverse engineer the Product, except as
permitted by law; or
3.1.2 sell, assign, rent, sub-license, loan, mortgage,
charge or otherwise deal in any way in the Product or
Documentation or any interest in them except as expressly
provided in this Licence.
4. DURATION OF LICENCE
4.1 This Licence shall commence on the date hereof and, subject
to other terms of this Licence, shall continue thereafter for as
long as you continue to use the Product.
4.2 This Licence shall terminate automatically if you fail to
abide by any of its terms.
4.3 Upon termination of this Licence you shall destroy the
Product and the Documentation and shall erase all copies of the
Product under your control and stored on any medium.
5. WARRANTIES AND REMEDIES
5.1 Way to the Web warrants that for a period of 90 days from the
date that the Product is downloaded, it will provide the facilities
and functions set out in the Documentation when properly used and
further, that the Documentation will provide adequate instruction to
enable you to make proper use of such facilities and functions.
5.2 The said warranty shall be subject to you complying with
your obligations hereunder and to there having been made no
alterations to the Product by any person other than Way to the Web.
When notifying a defect or error you shall (so far as you are able)
provide Way to the Web with a documented example of such defect or
error.
5. 3 Way to the Web shall have no liability or obligations under
the said warranty other than to remedy breaches thereof by the
provision of materials and services within a reasonable time and
without charge to you. If Way to the Web shall fail to comply with
such obligations its liability for such failure shall be limited as
specified in Clause 6. The foregoing states the entire liability of
Way to the Web, whether in contract or tort, for defects and errors
in the Products and the Documentation.
5.4 You acknowledge that the Products have not been prepared to
meet your individual requirements and that it is therefore your
responsibility to ensure that the facilities and functions described
in the Documentation meet your requirements. Way to the Web shall not
be liable for any failure of the Products to provide any facility or
function not specified in the Documentation
5.5 Way to the Web does not warrant that the operation of the
Products will be uninterrupted or error free or that all errors will
be remedied.
5.6 Except as expressly provided in this Licence, no warranty,
condition, undertaking or term, express or implied, statutory or
otherwise, as to the condition, quality, performance or fitness for
purpose of the Products or the Documentation is given or assumed by
Way to the Web and all such warranties, conditions, undertakings and
terms are hereby excluded to the fullest extent permitted by law.
6. LIABILITY
6.1 Way to the Web will indemnify you and keep you fully and
effectively indemnified against any loss of or damage to any property
or injury to or death of any person caused by any negligent act or
omission or wilful misconduct of Way to the Web, its employees,
agents or sub-contractors or by any breach of its contractual
obligations arising out of this Licence.
6.2 Except in respect of injury to or death of any person caused
by negligence (for which no limit applies) Way to the Web's
liability to you under sub-clause 6.1 above in respect of each event
or series of connected events shall not exceed one and a half times
the price you paid to licence the Product.
6.3 Notwithstanding anything else contained in this Licence, Way
to the Web shall not be liable to you for loss of profits or
contracts or indirect or consequential loss or damage whether arising
from negligence, breach of contract or howsoever caused
6.4 Way to the Web shall not be liable to you for any loss
arising out of your failure to keep full and up-to-date security
copies of the computer programs and data you use.
7. CONFIDENTIAL INFORMATION
7.1 You undertake to treat as confidential and keep secret all
information contained or embodied in the Products and the
Documentation which, by its nature has the necessary quality of
confidence about it ("Confidential Information"), provided that this
clause shall not extend to any information which is already public
knowledge or becomes so at a future date (otherwise than as a result
of a breach of this clause).
7.2 You shall not without the prior written consent of Way to the
Web divulge any part of the Confidential Information to any person
except to:
7.2.1 your own employees and then only to those employees
who need to know the same;
7.2.2 your auditors and any other persons or bodies having
a right duty or obligation to know your business and then
only in pursuance of such right duty or obligation;
7.2.3 any person who is from time to time appointed by you
to maintain your network, website or the equipment upon
which the Product is being used (in accordance with the terms
of the Licence) and then only to the extent necessary to
enable such person properly to maintain such network, website
or equipment.
7.3 You undertake to ensure that the persons and bodies mentioned
in paragraphs 7.2.1, 7.2.2 and 7.2.3 are made aware prior to the
disclosure of any part of the Confidential Information that the same
is confidential and that they owe a duty of confidence to Way to the
Web. You shall indemnify Way to the Web against any loss or damage
which Way to the Web may sustain or incur as a result of your
failing to comply with such undertaking
7.4 You shall promptly notify Way to the Web if you become aware
of any breach of confidence by any person to whom you divulge all or
any part of the Confidential Information and shall give Way to the
Web all reasonable assistance in connection with any proceedings
which Way to the Web may institute against such person for breach of
confidence.
7.5 The foregoing obligations as to confidentiality shall remain
in full force and effect notwithstanding any termination of this
Licence.
8. INDEMNITIES
8.1 Way to the Web shall indemnify you against any claim that the
normal use or possession of the Products and/or Documentation
infringes the intellectual property rights of any third party
provided that Way to the Web is given immediate and complete control
of such claim, that you do not prejudice Way to the Web's defence
of such claim, that you give Way to the Web all reasonable
assistance with such claim and that the claim does not arise as a
result of the use of the Products and/or Documentation in combination
with any equipment or programs not supplied or approved by Way to
the Web. Way to the Web shall have the right to replace or change all
or any part of the Products and/or Documentation in order to avoid
any infringement. The foregoing states the entire liability of Way to
the Web to you in respect of the infringement of the intellectual
property rights of any third party
8.2 Except to the extent caused by Way to the Web's breach of
its obligations hereunder, or its negligent or wilful misconduct in
connection with this Licence, and without limiting Way to the Web's
obligations in sub-clause 8.1 above, you shall indemnify and hold
Way to the Web harmless from any and all liability, loss and damage
Way to the Web may suffer as a result of claims demands or judgments
by any third party arising out of your use or operation of the
Products, the Documentation and related output. You shall, at your
expense, defend any such action, suit or claim against Way to the
Web.
9. SUPPORT
Way to the Web's technical support staff will, between the hours of
9.00 and 17.30 UK time Monday to Friday inclusive (except on bank and
public holidays), endeavour to answer on-line or by email any queries
you may have about the Product. For support please either use the
on-line support desk or the on-line support forum given on our
Website or in the Documentation. Any Product updates that may be
made available by Way to the Web from time to time will be supplied
at Way to the Web's then prevailing charges and subject to Way to the
Web's then prevailing terms and conditions. Way to the Web does not
guarantee backward compatibility with previous versions of the
Product as it retains the right to add, remove or modify any feature
or function in previous versions, at its sole discretion.
10. OTHER SERVICES
Way to the Web may also provide you with, at its option and subject
to its then prevailing charges and terms and conditions, other
services in relation to the Product, such as installation and
consultancy services. Please contact Way to the Web at the number
given on our Website or in the Documentation for more information
about such services.
11. CONSUMERS
If you deal as a consumer as defined in the Unfair Contract Terms Act
1977, your statutory rights remain unaffected.
12. LAW
This Licence constitutes the entire agreement between you and Way to
the Web relating to the Product and the Documentation and is governed
by and construed in accordance with the laws of England. The courts
of England shall have exclusive jurisdiction.

BIN
cxs/new.fp
View File

Binary file not shown.

134
cxs/reference.txt
View File

@@ -1,134 +0,0 @@
Exploit Scanning Reference
==========================
m = Regular expression match = [regex]
cxs has a regular expression lookup table which it uses to identify suspicious
files. These regex patterns look for two types of text constructs. Firstly,
those of known exploits (a fingerprint approach). Secondly, generic text
constructs found in common between many types of exploit (a heuristic
approach). For example, one of the regex patterns looks for the use of base64
encoded data in PHP scripts. This method of obfuscation is typically used by
exploits to hide their true purpose. If this regex is matched from the text
in a file, then that file will be reported as suspicious. You can ignore
specific regex patterns using an ignore file and the match: prefix.
M = Known exploit = [Fingerprint Match]
cxs uses a lookup table of over 4500 exploit script fingerprints and matches
scripts that have an identical fingerprint value.
O = socket
A socket is typically used to transfer data between two separate processes. You
would not normally expect to find a socket within a web hosting account and its
presence is therefore regarded here as suspicious.
L = Symlink to [symlink]
A symlink, or symbolic link, is a special type of file that provides a
reference to another file or directory. These are usually used for convenience
by the OS and server administrators to reorder the file system. For example, on
a cPanel server symlinks are used in the user mail accounts structure for their
imap implementation. You would not normally expect to find a symlink within a
web hosting account web root to files outside of that account (e.g. to system
files) and its presence is therefore regarded here as suspicious. Symlinks to
files within an account are ignored.
f = suspicious file
cxs will report file suspicious files, e.g. image files that contain script
code or C/C++ files. The former should not normally exists and you don't
usually see C/C++ files in standard web hosting accounts.
S = SUID file
Files with SUID, or set user ID, permissions allow users to run an executable
with the permissions of the executable's owner. Typically, this permission is
used on files to provide elevated privileges on a server to a user executing
such a file. You would not normally expect to find a file with SUID permissions
within a web hosting account and its presence is therefore regarded here as
suspicious.
G = GUID file
Files with GUID, or set group ID, permissions allow users to run an executable
with the permissions of the executable's owner. Typically, this permission is
used on files to provide elevated privileges on a server to a user executing
such a file. You would not normally expect to find a file with SUID permissions
within a web hosting account and its presence is therefore regarded here as
suspicious.
c = core dump file
A core dump file is a special system file generated by some executables.
Typically, they are generated when an executable hits a fatal error during
execution. At best, such files indicate a problem with the executable involved
and consumes considerable disk space. At worst, core dump files have been used
to gain elevated user privileges and exploit a server.
C = core dump file deleted
This option will automatically delete core dump files as described above.
h = suspected exploit file
cxs uses a lookup table of file names and file types which are commonly used by
exploits. For example, you would not normally expect to find a file named httpd
within a web hosting account and indeed a common exploit uses that name in an
attempt to appear innocuous.
e = Linux binary or executable file
A linux binary or executable file is one that will run on a linux OS (ELF -
Executable and Linking Format). Typically, such files within user accounts are
exploits that run as daemon processes mimicking system processes to remain
hidden. You would not normally expect to find a linux binary file within a web
hosting account and its presence is therefore regarded here as suspicious.
x = Windows binary or executable file
While a windows binary file cannot be executed on a linux OS, you would not
normally expect to find one within a web hosting account and its presence could
indicate a Trojan file and so is regarded here as suspicious.
d = suspicious directory name
cxs will report directory names that contain non-standard ASCII characters.
Such directory can often be used in such a way as to appear hidden to the
end-user. An example would be a directory called /.../ or / ../ which might
appear innocuous but often such directories contain exploits.
n = hidden directory owned by nobody user
A directory with a leading dot (e.g. /.hidden/) will often not be apparent in
many FTP client applications. One that is owned by the nobody user account has
likely been created by a web script running under the nobody user account
(typically a PHP script where suPHP is not enabled). Such directories are
suspicious in their nature of attempting to be hidden and so are reported.
w = world writable directory
In a shared web hosting environment a directory that is world writable can
typically be read and written to by any user on the server. Such directories
should be avoided, especially in web roots, as it can allow exploits to spread
between user accounts.
T = script file
This is a special option to identify scripts. It attempts to identify PHP,
Perl, and other shebang ($!) script files such as shell scripts. You may not
want to allow scripts to be uploaded through upload forms, or to be present in
certain directories that you scan (e.g. /tmp or /dev/shm) so this option is
available to detect them.
E = Email script match
This indicates that the script sends out email. This can be useful if you are
trying to identify emails within an account that send out email.
s = Script version check [OLD/OK/UNKNOWN] [SCRIPTNAME INSTALLED <>= LATEST]
This option will search for common web script installations and report if older
than the latest version on record. Using old versions of software often poses a
serious security risk and users should be encouraged to keep them up to date.

1
cxs/servers
View File

@@ -1 +0,0 @@
aHR0cDovL2xpY2Vuc2UuY29uZmlnc2VydmVyLmNvbQ==

95
cxs/symlinkdisable.pl
View File

@@ -1,95 +0,0 @@
#!/usr/local/cpanel/3rdparty/bin/perl
#******************************************************************************
# Copyright 2009-2013, Way to the Web Limited
# URL: http://www.waytotheweb.com
# Email: sales@waytotheweb.com
#******************************************************************************
# Example cPanel Symlink Script for cxs watch --Wsymlink [script] option
#
# NOTE: If you intend to use this script, copy it to a different filename as
# this file will be overwritten when cxs upgrades. When you do this you also
# need to change the --Wsymlink [script] in /etc/cxs/cxswatch.sh and restart
# cxs watch
use strict;
use Sys::Hostname;
use POSIX qw(strftime);
use Fcntl qw(:DEFAULT :flock);
# Set to 1 to only send an email
# Set to 2 to send an email and disable the directory with chmod 000 and chattr +i
# Set to 3 to send an email and suspend the cPanel account if determined
my $action = 1;
# Assign arguments to variables
my $directory = $ARGV[0];
my $account = $ARGV[1];
# Setup hostname for emails
my $hostname = hostname;
# Setup timesone for emails
my $tz = strftime("\%z", localtime);
# Check if we've already sent an alert for this directory in the last hour to
# prevent flooding. Remember to remove the temporary file in
# /etc/cxs/symlinktmp/ if you want to detect hits again within the hour
if ($directory) {
unless (-d "/etc/cxs/symlinktmp") {mkdir("/etc/cxs/symlinktmp")}
my $cmpdir = $directory;
$cmpdir =~ s/\W/_/g;
if (-e "/etc/cxs/symlinktmp/$cmpdir") {
open (FILE, "</etc/cxs/symlinktmp/$cmpdir");
flock (FILE, LOCK_SH);
my $time = <FILE>;
close (FILE);
chomp $time;
if (time - $time < 3600) {
# We have sent an alert so exit
exit;
} else {
unlink ("/etc/cxs/symlinktmp/$cmpdir");
}
} else {
sysopen (FILE, "/etc/cxs/symlinktmp/$cmpdir", O_WRONLY | O_CREAT);
flock (FILE, LOCK_EX);
print FILE time;
close (FILE);
}
}
#Perform the configured action
if ($action >= 1) {
# send an email to root from root
if ($account eq "") {$account = "[unknown]"}
open (FH, "|/usr/sbin/sendmail -t");
print FH "From: root\n";
print FH "To: root\n";
print FH "Subject: Possible Symlink Attack detected in $directory on $hostname\n";
print FH "\n";
print FH "Time: ".localtime(time)." $tz\n";
print FH "Account: $account\n";
print FH "Directory: $directory\n";
if ($action == 2) {print FH "Action: Directory disabled with chmod 000 and chattr +1\n"}
if ($action == 3 and $account ne "[unkown]") {print FH "Action: Account suspended where possible\n"}
close (FH);
}
if ($action == 2) {
# check this is a directory
if (-d $directory) {
# disable $directory
system ("chmod 000 '$directory'; chattr +i '$directory'");
}
}
if ($action == 3 and $account ne "") {
# if this is definitely a cPanel account
if (-e "/var/cpanel/users/$account") {
# If this account is not already suspended
unless (-e "/var/cpanel/suspended/$account") {
# Suspend the account
system("/scripts/suspendacct","$account");
}
}
}
exit;

1
cxs/test/testexploit.php
View File

@@ -1 +0,0 @@
<?php echo "thisisacxstestexploit"; ?>

58
cxs/uninstall.sh
View File

@@ -1,58 +0,0 @@
#!/bin/sh
echo "Uninstalling cxs..."
echo
rm -fv /var/run/chkservd/cxswatch
sed -i '/^cxswatch:/d' /etc/chkserv.d/chkservd.conf
/scripts/restartsrv_chkservd
if test `cat /proc/1/comm` = "systemd"
then
systemctl disable cxswatch.service
systemctl disable pure-uploadscript.service
systemctl stop cxswatch.service
systemctl stop pure-uploadscript.service
rm -fv /usr/lib/systemd/system/cxswatch.service
rm -fv /usr/lib/systemd/system/pure-uploadscript.service
systemctl daemon-reload
else
/etc/init.d/cxswatch stop
/sbin/chkconfig cxswatch off
/sbin/chkconfig cxswatch --del
rm -fv /etc/init.d/cxswatch
/etc/init.d/pure-uploadscript stop
chkconfig pure-uploadscript off
chkconfig pure-uploadscript --del
rm -fv /etc/init.d/pure-uploadscript
fi
sed -i "s/^CallUploadScript/\#CallUploadScript/" /etc/pure-ftpd.conf
sed -i "/^CallUploadScript/d" /var/cpanel/conf/pureftpd/main
/scripts/restartsrv_ftpserver
if [ -e "/usr/local/cpanel/bin/unregister_appconfig" ]; then
cd /
/usr/local/cpanel/bin/unregister_appconfig cxs
fi
rm -fv /usr/sbin/cxs
rm -fv /etc/cron.d/cxs-cron
rm -fv /etc/cron.daily/cxsdaily.sh
rm -fv /scripts/postftpup
/bin/rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/addon_cxs.cgi
/bin/rm -Rfv /usr/local/cpanel/whostmgr/docroot/cgi/cxs
/bin/rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/configserver/cxs.cgi
/bin/rm -Rfv /usr/local/cpanel/whostmgr/docroot/cgi/configserver/cxs
/scripts/modsec_vendor remove configserver
/usr/local/cpanel/bin/manage_hooks delete module ConfigServer::CXS::FTPHook > /dev/null 2>&1
rm -Rfv /etc/cxs
wget -q -O /dev/null http://license.configserver.com/cgi-bin/cxs/uninstall.cgi
echo
echo "...Done"

1
dnf/vars/infra.rpmsave
View File

@@ -1 +0,0 @@
genclo

127
dovecot/conf.d/10-auth.conf.rpmnew
View File

@@ -1,127 +0,0 @@
##
## Authentication processes
##
# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
# See also ssl=required setting.
#disable_plaintext_auth = yes
# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
# bsdauth and PAM require cache_key to be set for caching to be used.
#auth_cache_size = 0
# Time to live for cached data. After TTL expires the cached record is no
# longer used, *except* if the main database lookup returns internal failure.
# We also try to handle password changes automatically: If user's previous
# authentication was successful, but this one wasn't, the cache isn't used.
# For now this works only with plaintext authentication.
#auth_cache_ttl = 1 hour
# TTL for negative hits (user not found, password mismatch).
# 0 disables caching them completely.
#auth_cache_negative_ttl = 1 hour
# Space separated list of realms for SASL authentication mechanisms that need
# them. You can leave it empty if you don't want to support multiple realms.
# Many clients simply use the first one listed here, so keep the default realm
# first.
#auth_realms =
# Default realm/domain to use if none was specified. This is used for both
# SASL realms and appending @domain to username in plaintext logins.
#auth_default_realm =
# List of allowed characters in username. If the user-given username contains
# a character not listed in here, the login automatically fails. This is just
# an extra check to make sure user can't exploit any potential quote escaping
# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
# set this value to empty.
#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
# Username character translations before it's looked up from databases. The
# value contains series of from -> to characters. For example "#@/@" means
# that '#' and '/' characters are translated to '@'.
#auth_username_translation =
# Username formatting before it's looked up from databases. You can use
# the standard variables here, eg. %Lu would lowercase the username, %n would
# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
# "-AT-". This translation is done after auth_username_translation changes.
#auth_username_format = %Lu
# If you want to allow master users to log in by specifying the master
# username within the normal username string (ie. not using SASL mechanism's
# support for it), you can specify the separator character here. The format
# is then <username><separator><master username>. UW-IMAP uses "*" as the
# separator, so that could be a good choice.
#auth_master_user_separator =
# Username to use for users logging in with ANONYMOUS SASL mechanism
#auth_anonymous_username = anonymous
# Maximum number of dovecot-auth worker processes. They're used to execute
# blocking passdb and userdb queries (eg. MySQL and PAM). They're
# automatically created and destroyed as needed.
#auth_worker_max_count = 30
# Host name to use in GSSAPI principal names. The default is to use the
# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
# entries.
#auth_gssapi_hostname =
# Kerberos keytab to use for the GSSAPI mechanism. Will use the system
# default (usually /etc/krb5.keytab) if not specified. You may need to change
# the auth service to run as root to be able to read this file.
#auth_krb5_keytab =
# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
#auth_use_winbind = no
# Path for Samba's ntlm_auth helper binary.
#auth_winbind_helper_path = /usr/bin/ntlm_auth
# Time to delay before replying to failed authentications.
#auth_failure_delay = 2 secs
# Require a valid SSL client certificate or the authentication fails.
#auth_ssl_require_client_cert = no
# Take the username from client's SSL certificate, using
# X509_NAME_get_text_by_NID() which returns the subject's DN's
# CommonName.
#auth_ssl_username_from_cert = no
# Space separated list of wanted authentication mechanisms:
# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp
# gss-spnego
# NOTE: See also disable_plaintext_auth setting.
auth_mechanisms = plain
##
## Password and user databases
##
#
# Password database is used to verify user's password (and nothing more).
# You can have multiple passdbs and userdbs. This is useful if you want to
# allow both system users (/etc/passwd) and virtual users to login without
# duplicating the system users into virtual database.
#
# <doc/wiki/PasswordDatabase.txt>
#
# User database specifies where mails are located and what user/group IDs
# own them. For single-UID configuration use "static" userdb.
#
# <doc/wiki/UserDatabase.txt>
#!include auth-deny.conf.ext
#!include auth-master.conf.ext
!include auth-system.conf.ext
#!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
#!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-static.conf.ext

105
dovecot/conf.d/10-logging.conf.rpmnew
View File

@@ -1,105 +0,0 @@
##
## Log destination.
##
# Log file to use for error messages. "syslog" logs to syslog,
# /dev/stderr logs to stderr.
#log_path = syslog
# Log file to use for informational messages. Defaults to log_path.
#info_log_path =
# Log file to use for debug messages. Defaults to info_log_path.
#debug_log_path =
# Syslog facility to use if you're logging to syslog. Usually if you don't
# want to use "mail", you'll use local0..local7. Also other standard
# facilities are supported.
#syslog_facility = mail
##
## Logging verbosity and debugging.
##
# Log filter is a space-separated list conditions. If any of the conditions
# match, the log filter matches (i.e. they're ORed together). Parenthesis
# are supported if multiple conditions need to be matched together.
#
# See https://doc.dovecot.org/configuration_manual/event_filter/ for details.
#
# For example: event=http_request_* AND category=error AND category=storage
#
# Filter to specify what debug logging to enable. This will eventually replace
# mail_debug and auth_debug settings.
#log_debug =
# Crash after logging a matching event. For example category=error will crash
# any time an error is logged, which can be useful for debugging.
#log_core_filter =
# Log unsuccessful authentication attempts and the reasons why they failed.
#auth_verbose = no
# In case of password mismatches, log the attempted password. Valid values are
# no, plain and sha1. sha1 can be useful for detecting brute force password
# attempts vs. user simply trying the same password over and over again.
# You can also truncate the value to n chars by appending ":n" (e.g. sha1:6).
#auth_verbose_passwords = no
# Even more verbose logging for debugging purposes. Shows for example SQL
# queries.
#auth_debug = no
# In case of password mismatches, log the passwords and used scheme so the
# problem can be debugged. Enabling this also enables auth_debug.
#auth_debug_passwords = no
# Enable mail process debugging. This can help you figure out why Dovecot
# isn't finding your mails.
#mail_debug = no
# Show protocol level SSL errors.
#verbose_ssl = no
# mail_log plugin provides more event logging for mail processes.
plugin {
# Events to log. Also available: flag_change append
#mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
# Available fields: uid, box, msgid, from, subject, size, vsize, flags
# size and vsize are available only for expunge and copy events.
#mail_log_fields = uid box msgid size
}
##
## Log formatting.
##
# Prefix for each line written to log file. % codes are in strftime(3)
# format.
#log_timestamp = "%b %d %H:%M:%S "
# Space-separated list of elements we want to log. The elements which have
# a non-empty variable value are joined together to form a comma-separated
# string.
#login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c
# Login log format. %s contains login_log_format_elements string, %$ contains
# the data we want to log.
#login_log_format = %$: %s
# Log prefix for mail processes. See doc/wiki/Variables.txt for list of
# possible variables you can use.
#mail_log_prefix = "%s(%u)<%{pid}><%{session}>: "
# Format to use for logging mail deliveries:
# %$ - Delivery status message (e.g. "saved to INBOX")
# %m / %{msgid} - Message-ID
# %s / %{subject} - Subject
# %f / %{from} - From address
# %p / %{size} - Physical size
# %w / %{vsize} - Virtual size
# %e / %{from_envelope} - MAIL FROM envelope
# %{to_envelope} - RCPT TO envelope
# %{delivery_time} - How many milliseconds it took to deliver the mail
# %{session_time} - How long LMTP session took, not including delivery_time
# %{storage_id} - Backend-specific ID for mail, e.g. Maildir filename
#deliver_log_format = msgid=%m: %$

416
dovecot/conf.d/10-mail.conf.rpmnew
View File

@@ -1,416 +0,0 @@
##
## Mailbox locations and namespaces
##
# Location for users' mailboxes. The default is empty, which means that Dovecot
# tries to find the mailboxes automatically. This won't work if the user
# doesn't yet have any mail, so you should explicitly tell Dovecot the full
# location.
#
# If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u)
# isn't enough. You'll also need to tell Dovecot where the other mailboxes are
# kept. This is called the "root mail directory", and it must be the first
# path given in the mail_location setting.
#
# There are a few special variables you can use, eg.:
#
# %u - username
# %n - user part in user@domain, same as %u if there's no domain
# %d - domain part in user@domain, empty if there's no domain
# %h - home directory
#
# See doc/wiki/Variables.txt for full list. Some examples:
#
# mail_location = maildir:~/Maildir
# mail_location = mbox:~/mail:INBOX=/var/mail/%u
# mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
#
# <doc/wiki/MailLocation.txt>
#
#mail_location =
# If you need to set multiple mailbox locations or want to change default
# namespace settings, you can do it by defining namespace sections.
#
# You can have private, shared and public namespaces. Private namespaces
# are for user's personal mails. Shared namespaces are for accessing other
# users' mailboxes that have been shared. Public namespaces are for shared
# mailboxes that are managed by sysadmin. If you create any shared or public
# namespaces you'll typically want to enable ACL plugin also, otherwise all
# users can access all the shared mailboxes, assuming they have permissions
# on filesystem level to do so.
namespace inbox {
# Namespace type: private, shared or public
#type = private
# Hierarchy separator to use. You should use the same separator for all
# namespaces or some clients get confused. '/' is usually a good one.
# The default however depends on the underlying mail storage format.
#separator =
# Prefix required to access this namespace. This needs to be different for
# all namespaces. For example "Public/".
#prefix =
# Physical location of the mailbox. This is in same format as
# mail_location, which is also the default for it.
#location =
# There can be only one INBOX, and this setting defines which namespace
# has it.
inbox = yes
# If namespace is hidden, it's not advertised to clients via NAMESPACE
# extension. You'll most likely also want to set list=no. This is mostly
# useful when converting from another server with different namespaces which
# you want to deprecate but still keep working. For example you can create
# hidden namespaces with prefixes "~/mail/", "~%u/mail/" and "mail/".
#hidden = no
# Show the mailboxes under this namespace with LIST command. This makes the
# namespace visible for clients that don't support NAMESPACE extension.
# "children" value lists child mailboxes, but hides the namespace prefix.
#list = yes
# Namespace handles its own subscriptions. If set to "no", the parent
# namespace handles them (empty prefix should always have this as "yes")
#subscriptions = yes
# See 15-mailboxes.conf for definitions of special mailboxes.
}
# Example shared namespace configuration
#namespace {
#type = shared
#separator = /
# Mailboxes are visible under "shared/user@domain/"
# %%n, %%d and %%u are expanded to the destination user.
#prefix = shared/%%u/
# Mail location for other users' mailboxes. Note that %variables and ~/
# expands to the logged in user's data. %%n, %%d, %%u and %%h expand to the
# destination user's data.
#location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u
# Use the default namespace for saving subscriptions.
#subscriptions = no
# List the shared/ namespace only if there are visible shared mailboxes.
#list = children
#}
# Should shared INBOX be visible as "shared/user" or "shared/user/INBOX"?
#mail_shared_explicit_inbox = no
# System user and group used to access mails. If you use multiple, userdb
# can override these by returning uid or gid fields. You can use either numbers
# or names. <doc/wiki/UserIds.txt>
#mail_uid =
#mail_gid =
# Group to enable temporarily for privileged operations. Currently this is
# used only with INBOX when either its initial creation or dotlocking fails.
# Typically this is set to "mail" to give access to /var/mail.
#mail_privileged_group =
# Grant access to these supplementary groups for mail processes. Typically
# these are used to set up access to shared mailboxes. Note that it may be
# dangerous to set these if users can create symlinks (e.g. if "mail" group is
# set here, ln -s /var/mail ~/mail/var could allow a user to delete others'
# mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it).
#mail_access_groups =
# Allow full filesystem access to clients. There's no access checks other than
# what the operating system does for the active UID/GID. It works with both
# maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/
# or ~user/.
#mail_full_filesystem_access = no
# Dictionary for key=value mailbox attributes. This is used for example by
# URLAUTH and METADATA extensions.
#mail_attribute_dict =
# A comment or note that is associated with the server. This value is
# accessible for authenticated users through the IMAP METADATA server
# entry "/shared/comment".
#mail_server_comment = ""
# Indicates a method for contacting the server administrator. According to
# RFC 5464, this value MUST be a URI (e.g., a mailto: or tel: URL), but that
# is currently not enforced. Use for example mailto:admin@example.com. This
# value is accessible for authenticated users through the IMAP METADATA server
# entry "/shared/admin".
#mail_server_admin =
##
## Mail processes
##
# Don't use mmap() at all. This is required if you store indexes to shared
# filesystems (NFS or clustered filesystem).
#mmap_disable = no
# Rely on O_EXCL to work when creating dotlock files. NFS supports O_EXCL
# since version 3, so this should be safe to use nowadays by default.
#dotlock_use_excl = yes
# When to use fsync() or fdatasync() calls:
# optimized (default): Whenever necessary to avoid losing important data
# always: Useful with e.g. NFS when write()s are delayed
# never: Never use it (best performance, but crashes can lose data)
#mail_fsync = optimized
# Locking method for index files. Alternatives are fcntl, flock and dotlock.
# Dotlocking uses some tricks which may create more disk I/O than other locking
# methods. NFS users: flock doesn't work, remember to change mmap_disable.
#lock_method = fcntl
# Directory where mails can be temporarily stored. Usually it's used only for
# mails larger than >= 128 kB. It's used by various parts of Dovecot, for
# example LDA/LMTP while delivering large mails or zlib plugin for keeping
# uncompressed mails.
#mail_temp_dir = /tmp
# Valid UID range for users, defaults to 500 and above. This is mostly
# to make sure that users can't log in as daemons or other system users.
# Note that denying root logins is hardcoded to dovecot binary and can't
# be done even if first_valid_uid is set to 0.
first_valid_uid = 1000
#last_valid_uid = 0
# Valid GID range for users, defaults to non-root/wheel. Users having
# non-valid GID as primary group ID aren't allowed to log in. If user
# belongs to supplementary groups with non-valid GIDs, those groups are
# not set.
#first_valid_gid = 1
#last_valid_gid = 0
# Maximum allowed length for mail keyword name. It's only forced when trying
# to create new keywords.
#mail_max_keyword_length = 50
# ':' separated list of directories under which chrooting is allowed for mail
# processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too).
# This setting doesn't affect login_chroot, mail_chroot or auth chroot
# settings. If this setting is empty, "/./" in home dirs are ignored.
# WARNING: Never add directories here which local users can modify, that
# may lead to root exploit. Usually this should be done only if you don't
# allow shell access for users. <doc/wiki/Chrooting.txt>
#valid_chroot_dirs =
# Default chroot directory for mail processes. This can be overridden for
# specific users in user database by giving /./ in user's home directory
# (eg. /home/./user chroots into /home). Note that usually there is no real
# need to do chrooting, Dovecot doesn't allow users to access files outside
# their mail directory anyway. If your home directories are prefixed with
# the chroot directory, append "/." to mail_chroot. <doc/wiki/Chrooting.txt>
#mail_chroot =
# UNIX socket path to master authentication server to find users.
# This is used by imap (for shared users) and lda.
#auth_socket_path = /var/run/dovecot/auth-userdb
# Directory where to look up mail plugins.
#mail_plugin_dir = /usr/lib/dovecot
# Space separated list of plugins to load for all services. Plugins specific to
# IMAP, LDA, etc. are added to this list in their own .conf files.
#mail_plugins =
##
## Mailbox handling optimizations
##
# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are
# also required for IMAP NOTIFY extension to be enabled.
#mailbox_list_index = yes
# Trust mailbox list index to be up-to-date. This reduces disk I/O at the cost
# of potentially returning out-of-date results after e.g. server crashes.
# The results will be automatically fixed once the folders are opened.
#mailbox_list_index_very_dirty_syncs = yes
# Should INBOX be kept up-to-date in the mailbox list index? By default it's
# not, because most of the mailbox accesses will open INBOX anyway.
#mailbox_list_index_include_inbox = no
# The minimum number of mails in a mailbox before updates are done to cache
# file. This allows optimizing Dovecot's behavior to do less disk writes at
# the cost of more disk reads.
#mail_cache_min_mail_count = 0
# When IDLE command is running, mailbox is checked once in a while to see if
# there are any new mails or other changes. This setting defines the minimum
# time to wait between those checks. Dovecot can also use inotify and
# kqueue to find out immediately when changes occur.
#mailbox_idle_check_interval = 30 secs
# Save mails with CR+LF instead of plain LF. This makes sending those mails
# take less CPU, especially with sendfile() syscall with Linux and FreeBSD.
# But it also creates a bit more disk I/O which may just make it slower.
# Also note that if other software reads the mboxes/maildirs, they may handle
# the extra CRs wrong and cause problems.
#mail_save_crlf = no
# Max number of mails to keep open and prefetch to memory. This only works with
# some mailbox formats and/or operating systems.
#mail_prefetch_count = 0
# How often to scan for stale temporary files and delete them (0 = never).
# These should exist only after Dovecot dies in the middle of saving mails.
#mail_temp_scan_interval = 1w
# How many slow mail accesses sorting can perform before it returns failure.
# With IMAP the reply is: NO [LIMIT] Requested sort would have taken too long.
# The untagged SORT reply is still returned, but it's likely not correct.
#mail_sort_max_read_count = 0
protocol !indexer-worker {
# If folder vsize calculation requires opening more than this many mails from
# disk (i.e. mail sizes aren't in cache already), return failure and finish
# the calculation via indexer process. Disabled by default. This setting must
# be 0 for indexer-worker processes.
#mail_vsize_bg_after_count = 0
}
##
## Maildir-specific settings
##
# By default LIST command returns all entries in maildir beginning with a dot.
# Enabling this option makes Dovecot return only entries which are directories.
# This is done by stat()ing each entry, so it causes more disk I/O.
# (For systems setting struct dirent->d_type, this check is free and it's
# done always regardless of this setting)
#maildir_stat_dirs = no
# When copying a message, do it with hard links whenever possible. This makes
# the performance much better, and it's unlikely to have any side effects.
#maildir_copy_with_hardlinks = yes
# Assume Dovecot is the only MUA accessing Maildir: Scan cur/ directory only
# when its mtime changes unexpectedly or when we can't find the mail otherwise.
#maildir_very_dirty_syncs = no
# If enabled, Dovecot doesn't use the S=<size> in the Maildir filenames for
# getting the mail's physical size, except when recalculating Maildir++ quota.
# This can be useful in systems where a lot of the Maildir filenames have a
# broken size. The performance hit for enabling this is very small.
#maildir_broken_filename_sizes = no
# Always move mails from new/ directory to cur/, even when the \Recent flags
# aren't being reset.
#maildir_empty_new = no
##
## mbox-specific settings
##
# Which locking methods to use for locking mbox. There are four available:
# dotlock: Create <mailbox>.lock file. This is the oldest and most NFS-safe
# solution. If you want to use /var/mail/ like directory, the users
# will need write access to that directory.
# dotlock_try: Same as dotlock, but if it fails because of permissions or
# because there isn't enough disk space, just skip it.
# fcntl : Use this if possible. Works with NFS too if lockd is used.
# flock : May not exist in all systems. Doesn't work with NFS.
# lockf : May not exist in all systems. Doesn't work with NFS.
#
# You can use multiple locking methods; if you do the order they're declared
# in is important to avoid deadlocks if other MTAs/MUAs are using multiple
# locking methods as well. Some operating systems don't allow using some of
# them simultaneously.
#mbox_read_locks = fcntl
#mbox_write_locks = dotlock fcntl
mbox_write_locks = fcntl
# Maximum time to wait for lock (all of them) before aborting.
#mbox_lock_timeout = 5 mins
# If dotlock exists but the mailbox isn't modified in any way, override the
# lock file after this much time.
#mbox_dotlock_change_timeout = 2 mins
# When mbox changes unexpectedly we have to fully read it to find out what
# changed. If the mbox is large this can take a long time. Since the change
# is usually just a newly appended mail, it'd be faster to simply read the
# new mails. If this setting is enabled, Dovecot does this but still safely
# fallbacks to re-reading the whole mbox file whenever something in mbox isn't
# how it's expected to be. The only real downside to this setting is that if
# some other MUA changes message flags, Dovecot doesn't notice it immediately.
# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK
# commands.
#mbox_dirty_syncs = yes
# Like mbox_dirty_syncs, but don't do full syncs even with SELECT, EXAMINE,
# EXPUNGE or CHECK commands. If this is set, mbox_dirty_syncs is ignored.
#mbox_very_dirty_syncs = no
# Delay writing mbox headers until doing a full write sync (EXPUNGE and CHECK
# commands and when closing the mailbox). This is especially useful for POP3
# where clients often delete all mails. The downside is that our changes
# aren't immediately visible to other MUAs.
#mbox_lazy_writes = yes
# If mbox size is smaller than this (e.g. 100k), don't write index files.
# If an index file already exists it's still read, just not updated.
#mbox_min_index_size = 0
# Mail header selection algorithm to use for MD5 POP3 UIDLs when
# pop3_uidl_format=%m. For backwards compatibility we use apop3d inspired
# algorithm, but it fails if the first Received: header isn't unique in all
# mails. An alternative algorithm is "all" that selects all headers.
#mbox_md5 = apop3d
##
## mdbox-specific settings
##
# Maximum dbox file size until it's rotated.
#mdbox_rotate_size = 10M
# Maximum dbox file age until it's rotated. Typically in days. Day begins
# from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled.
#mdbox_rotate_interval = 0
# When creating new mdbox files, immediately preallocate their size to
# mdbox_rotate_size. This setting currently works only in Linux with some
# filesystems (ext4, xfs).
#mdbox_preallocate_space = no
##
## Mail attachments
##
# sdbox and mdbox support saving mail attachments to external files, which
# also allows single instance storage for them. Other backends don't support
# this for now.
# Directory root where to store mail attachments. Disabled, if empty.
#mail_attachment_dir =
# Attachments smaller than this aren't saved externally. It's also possible to
# write a plugin to disable saving specific attachments externally.
#mail_attachment_min_size = 128k
# Filesystem backend to use for saving attachments:
# posix : No SiS done by Dovecot (but this might help FS's own deduplication)
# sis posix : SiS with immediate byte-by-byte comparison during saving
# sis-queue posix : SiS with delayed comparison and deduplication
#mail_attachment_fs = sis posix
# Hash format to use in attachment filenames. You can add any text and
# variables: %{md4}, %{md5}, %{sha1}, %{sha256}, %{sha512}, %{size}.
# Variables can be truncated, e.g. %{sha256:80} returns only first 80 bits
#mail_attachment_hash = %{sha1}
# Settings to control adding $HasAttachment or $HasNoAttachment keywords.
# By default, all MIME parts with Content-Disposition=attachment, or inlines
# with filename parameter are consired attachments.
# add-flags - Add the keywords when saving new mails or when fetching can
# do it efficiently.
# content-type=type or !type - Include/exclude content type. Excluding will
# never consider the matched MIME part as attachment. Including will only
# negate an exclusion (e.g. content-type=!foo/* content-type=foo/bar).
# exclude-inlined - Exclude any Content-Disposition=inline MIME part.
#mail_attachment_detection_options =

85
dovecot/conf.d/10-ssl.conf.rpmnew
View File

@@ -1,85 +0,0 @@
##
## SSL settings
##
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
# disable plain pop3 and imap, allowed are only pop3+TLS, pop3s, imap+TLS and imaps
# plain imap and pop3 are still allowed for local connections
ssl = required
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
# world-readable, you may want to place this setting instead to a different
# root owned 0600 file by using ssl_key_password = <path.
#ssl_key_password =
# PEM encoded trusted certificate authority. Set this only if you intend to use
# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
# followed by the matching CRL(s). (e.g. ssl_ca = </etc/pki/dovecot/certs/ca.pem)
#ssl_ca =
# Require that CRL check succeeds for client certificates.
#ssl_require_crl = yes
# Directory and/or file for trusted SSL CA certificates. These are used only
# when Dovecot needs to act as an SSL client (e.g. imapc backend or
# submission service). The directory is usually /etc/pki/dovecot/certs in
# Debian-based systems and the file is /etc/pki/tls/cert.pem in
# RedHat-based systems. Note that ssl_client_ca_file isn't recommended with
# large CA bundles, because it leads to excessive memory usage.
#ssl_client_ca_dir =
#ssl_client_ca_file =
# Require valid cert when connecting to a remote server
#ssl_client_require_valid_cert = yes
# Request client to send a certificate. If you also want to require it, set
# auth_ssl_require_client_cert=yes in auth section.
#ssl_verify_client_cert = no
# Which field from certificate to use for username. commonName and
# x500UniqueIdentifier are the usual choices. You'll also need to set
# auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName
# SSL DH parameters
# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
# Or migrate from old ssl-parameters.dat file with the command dovecot
# gives on startup when ssl_dh is unset.
#ssl_dh = </etc/dovecot/dh.pem
# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
# TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3, depending on the OpenSSL version used.
#
# Dovecot also recognizes values ANY and LATEST. ANY matches with any protocol
# version, and LATEST matches with the latest version supported by library.
#ssl_min_protocol = TLSv1.2
# SSL ciphers to use, the default is:
#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
# To disable non-EC DH, use:
#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
ssl_cipher_list = PROFILE=SYSTEM
# Colon separated list of elliptic curves to use. Empty value (the default)
# means use the defaults from the SSL library. P-521:P-384:P-256 would be an
# example of a valid value.
#ssl_curve_list =
# Prefer the server's order of ciphers over client's.
#ssl_prefer_server_ciphers = no
# SSL crypto device to use, for valid values run "openssl engine"
#ssl_crypto_device =
# SSL extra options. Currently supported options are:
# compression - Enable compression.
# no_ticket - Disable SSL session tickets.
#ssl_options =

86
dovecot/conf.d/15-mailboxes.conf.rpmnew
View File

@@ -1,86 +0,0 @@
##
## Mailbox definitions
##
# Each mailbox is specified in a separate mailbox section. The section name
# specifies the mailbox name. If it has spaces, you can put the name
# "in quotes". These sections can contain the following mailbox settings:
#
# auto:
# Indicates whether the mailbox with this name is automatically created
# implicitly when it is first accessed. The user can also be automatically
# subscribed to the mailbox after creation. The following values are
# defined for this setting:
#
# no - Never created automatically.
# create - Automatically created, but no automatic subscription.
# subscribe - Automatically created and subscribed.
#
# special_use:
# A space-separated list of SPECIAL-USE flags (RFC 6154) to use for the
# mailbox. There are no validity checks, so you could specify anything
# you want in here, but it's not a good idea to use flags other than the
# standard ones specified in the RFC:
#
# \All - This (virtual) mailbox presents all messages in the
# user's message store.
# \Archive - This mailbox is used to archive messages.
# \Drafts - This mailbox is used to hold draft messages.
# \Flagged - This (virtual) mailbox presents all messages in the
# user's message store marked with the IMAP \Flagged flag.
# \Important - This (virtual) mailbox presents all messages in the
# user's message store deemed important to user.
# \Junk - This mailbox is where messages deemed to be junk mail
# are held.
# \Sent - This mailbox is used to hold copies of messages that
# have been sent.
# \Trash - This mailbox is used to hold messages that have been
# deleted.
#
# comment:
# Defines a default comment or note associated with the mailbox. This
# value is accessible through the IMAP METADATA mailbox entries
# "/shared/comment" and "/private/comment". Users with sufficient
# privileges can override the default value for entries with a custom
# value.
# NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf.
namespace inbox {
# These mailboxes are widely used and could perhaps be created automatically:
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Trash {
special_use = \Trash
}
# For \Sent mailboxes there are two widely used names. We'll mark both of
# them as \Sent. User typically deletes one of them if duplicates are created.
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
# If you have a virtual "All messages" mailbox:
#mailbox virtual/All {
# special_use = \All
# comment = All my messages
#}
# If you have a virtual "Flagged" mailbox:
#mailbox virtual/Flagged {
# special_use = \Flagged
# comment = All my flagged messages
#}
# If you have a virtual "Important" mailbox:
#mailbox virtual/Important {
# special_use = \Important
# comment = All my important messages
#}
}

99
dovecot/conf.d/20-imap.conf.rpmnew
View File

@@ -1,99 +0,0 @@
##
## IMAP specific settings
##
# If nothing happens for this long while client is IDLEing, move the connection
# to imap-hibernate process and close the old imap process. This saves memory,
# because connections use very little memory in imap-hibernate process. The
# downside is that recreating the imap process back uses some resources.
#imap_hibernate_timeout = 0
# Maximum IMAP command line length. Some clients generate very long command
# lines with huge mailboxes, so you may need to raise this if you get
# "Too long argument" or "IMAP command line too large" errors often.
#imap_max_line_length = 64k
# IMAP logout format string:
# %i - total number of bytes read from client
# %o - total number of bytes sent to client
# %{fetch_hdr_count} - Number of mails with mail header data sent to client
# %{fetch_hdr_bytes} - Number of bytes with mail header data sent to client
# %{fetch_body_count} - Number of mails with mail body data sent to client
# %{fetch_body_bytes} - Number of bytes with mail body data sent to client
# %{deleted} - Number of mails where client added \Deleted flag
# %{expunged} - Number of mails that client expunged, which does not
# include automatically expunged mails
# %{autoexpunged} - Number of mails that were automatically expunged after
# client disconnected
# %{trashed} - Number of mails that client copied/moved to the
# special_use=\Trash mailbox.
# %{appended} - Number of mails saved during the session
#imap_logout_format = in=%i out=%o deleted=%{deleted} expunged=%{expunged} \
# trashed=%{trashed} hdr_count=%{fetch_hdr_count} \
# hdr_bytes=%{fetch_hdr_bytes} body_count=%{fetch_body_count} \
# body_bytes=%{fetch_body_bytes}
# Override the IMAP CAPABILITY response. If the value begins with '+',
# add the given capabilities on top of the defaults (e.g. +XFOO XBAR).
#imap_capability =
# How long to wait between "OK Still here" notifications when client is
# IDLEing.
#imap_idle_notify_interval = 2 mins
# ID field names and values to send to clients. Using * as the value makes
# Dovecot use the default value. The following fields have default values
# currently: name, version, os, os-version, support-url, support-email,
# revision.
#imap_id_send =
# ID fields sent by client to log. * means everything.
#imap_id_log =
# Workarounds for various client bugs:
# delay-newmail:
# Send EXISTS/RECENT new mail notifications only when replying to NOOP
# and CHECK commands. Some clients ignore them otherwise, for example OSX
# Mail (<v2.1). Outlook Express breaks more badly though, without this it
# may show user "Message no longer in server" errors. Note that OE6 still
# breaks even with this workaround if synchronization is set to
# "Headers Only".
# tb-extra-mailbox-sep:
# Thunderbird gets somehow confused with LAYOUT=fs (mbox and dbox) and
# adds extra '/' suffixes to mailbox names. This option causes Dovecot to
# ignore the extra '/' instead of treating it as invalid mailbox name.
# tb-lsub-flags:
# Show \Noselect flags for LSUB replies with LAYOUT=fs (e.g. mbox).
# This makes Thunderbird realize they aren't selectable and show them
# greyed out, instead of only later giving "not selectable" popup error.
#
# The list is space-separated.
#imap_client_workarounds =
# Host allowed in URLAUTH URLs sent by client. "*" allows all.
#imap_urlauth_host =
# Enable IMAP LITERAL- extension (replaces LITERAL+)
#imap_literal_minus = no
# What happens when FETCH fails due to some internal error:
# disconnect-immediately:
# The FETCH is aborted immediately and the IMAP client is disconnected.
# disconnect-after:
# The FETCH runs for all the requested mails returning as much data as
# possible. The client is finally disconnected without a tagged reply.
# no-after:
# Same as disconnect-after, but tagged NO reply is sent instead of
# disconnecting the client. If the client attempts to FETCH the same failed
# mail more than once, the client is disconnected. This is to avoid clients
# from going into infinite loops trying to FETCH a broken mail.
#imap_fetch_failure = disconnect-immediately
protocol imap {
# Space separated list of plugins to load (default is global mail_plugins).
#mail_plugins = $mail_plugins
# Maximum number of IMAP connections allowed for a user from each IP address.
# NOTE: The username is compared case-sensitively.
#mail_max_userip_connections = 10
}

40
dovecot/conf.d/20-lmtp.conf.rpmnew
View File

@@ -1,40 +0,0 @@
##
## LMTP specific settings
##
# Support proxying to other LMTP/SMTP servers by performing passdb lookups.
#lmtp_proxy = no
# When recipient address includes the detail (e.g. user+detail), try to save
# the mail to the detail mailbox. See also recipient_delimiter and
# lda_mailbox_autocreate settings.
#lmtp_save_to_detail_mailbox = no
# Verify quota before replying to RCPT TO. This adds a small overhead.
#lmtp_rcpt_check_quota = no
# Add "Received:" header to mails delivered.
#lmtp_add_received_header = yes
# Which recipient address to use for Delivered-To: header and Received:
# header. The default is "final", which is the same as the one given to
# RCPT TO command. "original" uses the address given in RCPT TO's ORCPT
# parameter, "none" uses nothing. Note that "none" is currently always used
# when a mail has multiple recipients.
#lmtp_hdr_delivery_address = final
# Workarounds for various client bugs:
# whitespace-before-path:
# Allow one or more spaces or tabs between `MAIL FROM:' and path and between
# `RCPT TO:' and path.
# mailbox-for-path:
# Allow using bare Mailbox syntax (i.e., without <...>) instead of full path
# syntax.
#
# The list is space-separated.
#lmtp_client_workarounds =
protocol lmtp {
# Space separated list of plugins to load (default is global mail_plugins).
#mail_plugins = $mail_plugins
}

83
dovecot/conf.d/90-quota.conf.rpmnew
View File

@@ -1,83 +0,0 @@
##
## Quota configuration.
##
# Note that you also have to enable quota plugin in mail_plugins setting.
# <doc/wiki/Quota.txt>
##
## Quota limits
##
# Quota limits are set using "quota_rule" parameters. To get per-user quota
# limits, you can set/override them by returning "quota_rule" extra field
# from userdb. It's also possible to give mailbox-specific limits, for example
# to give additional 100 MB when saving to Trash:
plugin {
#quota_rule = *:storage=1G
#quota_rule2 = Trash:storage=+100M
# LDA/LMTP allows saving the last mail to bring user from under quota to
# over quota, if the quota doesn't grow too high. Default is to allow as
# long as quota will stay under 10% above the limit. Also allowed e.g. 10M.
#quota_grace = 10%%
# Quota plugin can also limit the maximum accepted mail size.
#quota_max_mail_size = 100M
}
##
## Quota warnings
##
# You can execute a given command when user exceeds a specified quota limit.
# Each quota root has separate limits. Only the command for the first
# exceeded limit is excecuted, so put the highest limit first.
# The commands are executed via script service by connecting to the named
# UNIX socket (quota-warning below).
# Note that % needs to be escaped as %%, otherwise "% " expands to empty.
plugin {
#quota_warning = storage=95%% quota-warning 95 %u
#quota_warning2 = storage=80%% quota-warning 80 %u
}
# Example quota-warning service. The unix listener's permissions should be
# set in a way that mail processes can connect to it. Below example assumes
# that mail processes run as vmail user. If you use mode=0666, all system users
# can generate quota warnings to anyone.
#service quota-warning {
# executable = script /usr/local/bin/quota-warning.sh
# user = dovecot
# unix_listener quota-warning {
# user = vmail
# }
#}
##
## Quota backends
##
# Multiple backends are supported:
# dirsize: Find and sum all the files found from mail directory.
# Extremely SLOW with Maildir. It'll eat your CPU and disk I/O.
# dict: Keep quota stored in dictionary (eg. SQL)
# maildir: Maildir++ quota
# fs: Read-only support for filesystem quota
plugin {
#quota = dirsize:User quota
#quota = maildir:User quota
#quota = dict:User quota::proxy::quota
#quota = fs:User quota
}
# Multiple quota roots are also possible, for example this gives each user
# their own 100MB quota and one shared 1GB quota within the domain:
plugin {
#quota = dict:user::proxy::quota
#quota2 = dict:domain:%d:proxy::quota_domain
#quota_rule = *:storage=102400
#quota2_rule = *:storage=1048576
}

214
dovecot/conf.d/90-sieve.conf.rpmnew
View File

@@ -1,214 +0,0 @@
##
## Settings for the Sieve interpreter
##
# Do not forget to enable the Sieve plugin in 15-lda.conf and 20-lmtp.conf
# by adding it to the respective mail_plugins= settings.
# The Sieve interpreter can retrieve Sieve scripts from several types of
# locations. The default `file' location type is a local filesystem path
# pointing to a Sieve script file or a directory containing multiple Sieve
# script files. More complex setups can use other location types such as
# `ldap' or `dict' to fetch Sieve scripts from remote databases.
#
# All settings that specify the location of one ore more Sieve scripts accept
# the following syntax:
#
# location = [<type>:]path[;<option>[=<value>][;...]]
#
# If the type prefix is omitted, the script location type is 'file' and the
# location is interpreted as a local filesystem path pointing to a Sieve script
# file or directory. Refer to Pigeonhole wiki or INSTALL file for more
# information.
plugin {
# The location of the user's main Sieve script or script storage. The LDA
# Sieve plugin uses this to find the active script for Sieve filtering at
# delivery. The "include" extension uses this location for retrieving
# :personal" scripts. This is also where the ManageSieve service will store
# the user's scripts, if supported.
#
# Currently only the 'file:' location type supports ManageSieve operation.
# Other location types like 'dict:' and 'ldap:' can currently only
# be used as a read-only script source ().
#
# For the 'file:' type: use the ';active=' parameter to specify where the
# active script symlink is located.
# For other types: use the ';name=' parameter to specify the name of the
# default/active script.
sieve = file:~/sieve;active=~/.dovecot.sieve
# The default Sieve script when the user has none. This is the location of a
# global sieve script file, which gets executed ONLY if user's personal Sieve
# script doesn't exist. Be sure to pre-compile this script manually using the
# sievec command line tool if the binary is not stored in a global location.
# --> See sieve_before for executing scripts before the user's personal
# script.
#sieve_default = /var/lib/dovecot/sieve/default.sieve
# The name by which the default Sieve script (as configured by the
# sieve_default setting) is visible to the user through ManageSieve.
#sieve_default_name =
# Location for ":global" include scripts as used by the "include" extension.
#sieve_global =
# The location of a Sieve script that is run for any message that is about to
# be discarded; i.e., it is not delivered anywhere by the normal Sieve
# execution. This only happens when the "implicit keep" is canceled, by e.g.
# the "discard" action, and no actions that deliver the message are executed.
# This "discard script" can prevent discarding the message, by executing
# alternative actions. If the discard script does nothing, the message is
# still discarded as it would be when no discard script is configured.
#sieve_discard =
# Location Sieve of scripts that need to be executed before the user's
# personal script. If a 'file' location path points to a directory, all the
# Sieve scripts contained therein (with the proper `.sieve' extension) are
# executed. The order of execution within that directory is determined by the
# file names, using a normal 8bit per-character comparison.
#
# Multiple script locations can be specified by appending an increasing number
# to the setting name. The Sieve scripts found from these locations are added
# to the script execution sequence in the specified order. Reading the
# numbered sieve_before settings stops at the first missing setting, so no
# numbers may be skipped.
#sieve_before = /var/lib/dovecot/sieve.d/
#sieve_before2 = ldap:/etc/sieve-ldap.conf;name=ldap-domain
#sieve_before3 = (etc...)
# Identical to sieve_before, only the specified scripts are executed after the
# user's script (only when keep is still in effect!). Multiple script
# locations can be specified by appending an increasing number.
#sieve_after =
#sieve_after2 =
#sieve_after2 = (etc...)
# Which Sieve language extensions are available to users. By default, all
# supported extensions are available, except for deprecated extensions or
# those that are still under development. Some system administrators may want
# to disable certain Sieve extensions or enable those that are not available
# by default. This setting can use '+' and '-' to specify differences relative
# to the default. For example `sieve_extensions = +imapflags' will enable the
# deprecated imapflags extension in addition to all extensions were already
# enabled by default.
#sieve_extensions = +notify +imapflags
# Which Sieve language extensions are ONLY available in global scripts. This
# can be used to restrict the use of certain Sieve extensions to administrator
# control, for instance when these extensions can cause security concerns.
# This setting has higher precedence than the `sieve_extensions' setting
# (above), meaning that the extensions enabled with this setting are never
# available to the user's personal script no matter what is specified for the
# `sieve_extensions' setting. The syntax of this setting is similar to the
# `sieve_extensions' setting, with the difference that extensions are
# enabled or disabled for exclusive use in global scripts. Currently, no
# extensions are marked as such by default.
#sieve_global_extensions =
# The Pigeonhole Sieve interpreter can have plugins of its own. Using this
# setting, the used plugins can be specified. Check the Dovecot wiki
# (wiki2.dovecot.org) or the pigeonhole website
# (http://pigeonhole.dovecot.org) for available plugins.
# The sieve_extprograms plugin is included in this release.
#sieve_plugins =
# The separator that is expected between the :user and :detail
# address parts introduced by the subaddress extension. This may
# also be a sequence of characters (e.g. '--'). The current
# implementation looks for the separator from the left of the
# localpart and uses the first one encountered. The :user part is
# left of the separator and the :detail part is right. This setting
# is also used by Dovecot's LMTP service.
#recipient_delimiter = +
# The maximum size of a Sieve script. The compiler will refuse to compile any
# script larger than this limit. If set to 0, no limit on the script size is
# enforced.
#sieve_max_script_size = 1M
# The maximum number of actions that can be performed during a single script
# execution. If set to 0, no limit on the total number of actions is enforced.
#sieve_max_actions = 32
# The maximum number of redirect actions that can be performed during a single
# script execution. If set to 0, no redirect actions are allowed.
#sieve_max_redirects = 4
# The maximum number of personal Sieve scripts a single user can have. If set
# to 0, no limit on the number of scripts is enforced.
# (Currently only relevant for ManageSieve)
#sieve_quota_max_scripts = 0
# The maximum amount of disk storage a single user's scripts may occupy. If
# set to 0, no limit on the used amount of disk storage is enforced.
# (Currently only relevant for ManageSieve)
#sieve_quota_max_storage = 0
# The primary e-mail address for the user. This is used as a default when no
# other appropriate address is available for sending messages. If this setting
# is not configured, either the postmaster or null "<>" address is used as a
# sender, depending on the action involved. This setting is important when
# there is no message envelope to extract addresses from, such as when the
# script is executed in IMAP.
#sieve_user_email =
# The path to the file where the user log is written. If not configured, a
# default location is used. If the main user's personal Sieve (as configured
# with sieve=) is a file, the logfile is set to <filename>.log by default. If
# it is not a file, the default user log file is ~/.dovecot.sieve.log.
#sieve_user_log =
# Specifies what envelope sender address is used for redirected messages.
# The following values are supported for this setting:
#
# "sender" - The sender address is used (default).
# "recipient" - The final recipient address is used.
# "orig_recipient" - The original recipient is used.
# "user_email" - The user's primary address is used. This is
# configured with the "sieve_user_email" setting. If
# that setting is unconfigured, "user_mail" is equal to
# "recipient".
# "postmaster" - The postmaster_address configured for the LDA.
# "<user@domain>" - Redirected messages are always sent from user@domain.
# The angle brackets are mandatory. The null "<>" address
# is also supported.
#
# This setting is ignored when the envelope sender is "<>". In that case the
# sender of the redirected message is also always "<>".
#sieve_redirect_envelope_from = sender
## TRACE DEBUGGING
# Trace debugging provides detailed insight in the operations performed by
# the Sieve script. These settings apply to both the LDA Sieve plugin and the
# IMAPSIEVE plugin.
#
# WARNING: On a busy server, this functionality can quickly fill up the trace
# directory with a lot of trace files. Enable this only temporarily and as
# selective as possible.
# The directory where trace files are written. Trace debugging is disabled if
# this setting is not configured or if the directory does not exist. If the
# path is relative or it starts with "~/" it is interpreted relative to the
# current user's home directory.
#sieve_trace_dir =
# The verbosity level of the trace messages. Trace debugging is disabled if
# this setting is not configured. Possible values are:
#
# "actions" - Only print executed action commands, like keep,
# fileinto, reject and redirect.
# "commands" - Print any executed command, excluding test commands.
# "tests" - Print all executed commands and performed tests.
# "matching" - Print all executed commands, performed tests and the
# values matched in those tests.
#sieve_trace_level =
# Enables highly verbose debugging messages that are usually only useful for
# developers.
#sieve_trace_debug = no
# Enables showing byte code addresses in the trace output, rather than only
# the source line numbers.
#sieve_trace_addresses = no
}

101
dovecot/dovecot.conf.rpmnew
View File

@@ -1,101 +0,0 @@
## Dovecot configuration file
# If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration
# "doveconf -n" command gives a clean output of the changed settings. Use it
# instead of copy&pasting files when posting to the Dovecot mailing list.
# '#' character and everything after it is treated as comments. Extra spaces
# and tabs are ignored. If you want to use either of these explicitly, put the
# value inside quotes, eg.: key = "# char and trailing whitespace "
# Most (but not all) settings can be overridden by different protocols and/or
# source/destination IPs by placing the settings inside sections, for example:
# protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { }
# Default values are shown for each setting, it's not required to uncomment
# those. These are exceptions to this though: No sections (e.g. namespace {})
# or plugin settings are added by default, they're listed only as examples.
# Paths are also just examples with the real defaults being based on configure
# options. The paths listed here are for configure --prefix=/usr
# --sysconfdir=/etc --localstatedir=/var
# Protocols we want to be serving.
#protocols = imap pop3 lmtp submission
# A comma separated list of IPs or hosts where to listen in for connections.
# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
# If you want to specify non-default ports or anything more complex,
# edit conf.d/master.conf.
#listen = *, ::
# Base directory where to store runtime data.
#base_dir = /var/run/dovecot/
# Name of this instance. In multi-instance setup doveadm and other commands
# can use -i <instance_name> to select which instance is used (an alternative
# to -c <config_path>). The instance name is also added to Dovecot processes
# in ps output.
#instance_name = dovecot
# Greeting message for clients.
#login_greeting = Dovecot ready.
# Space separated list of trusted network ranges. Connections from these
# IPs are allowed to override their IP addresses and ports (for logging and
# for authentication checks). disable_plaintext_auth is also ignored for
# these networks. Typically you'd specify your IMAP proxy servers here.
#login_trusted_networks =
# Space separated list of login access check sockets (e.g. tcpwrap)
#login_access_sockets =
# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do
# proxying. This isn't necessary normally, but may be useful if the destination
# IP is e.g. a load balancer's IP.
#auth_proxy_self =
# Show more verbose process titles (in ps). Currently shows user name and
# IP address. Useful for seeing who are actually using the IMAP processes
# (eg. shared mailboxes or if same uid is used for multiple accounts).
#verbose_proctitle = no
# Should all processes be killed when Dovecot master process shuts down.
# Setting this to "no" means that Dovecot can be upgraded without
# forcing existing client connections to close (although that could also be
# a problem if the upgrade is e.g. because of a security fix).
#shutdown_clients = yes
# If non-zero, run mail commands via this many connections to doveadm server,
# instead of running them directly in the same process.
#doveadm_worker_count = 0
# UNIX socket or host:port used for connecting to doveadm server
#doveadm_socket_path = doveadm-server
# Space separated list of environment variables that are preserved on Dovecot
# startup and passed down to all of its child processes. You can also give
# key=value pairs to always set specific settings.
#import_environment = TZ
##
## Dictionary server settings
##
# Dictionary can be used to store key=value lists. This is used by several
# plugins. The dictionary can be accessed either directly or though a
# dictionary server. The following dict block maps dictionary names to URIs
# when the server is used. These can then be referenced using URIs in format
# "proxy::<name>".
dict {
#quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
}
# Most of the actual configuration gets included below. The filenames are
# first sorted by their ASCII value and parsed in that order. The 00-prefixes
# in filenames are intended to make it easier to understand the ordering.
!include conf.d/*.conf
# A config file can also tried to be included without giving an error if
# it's not found:
!include_try local.conf

45
etckeeper/etckeeper.conf.rpmnew
View File

@@ -1,45 +0,0 @@
# The VCS to use.
#VCS="hg"
VCS="git"
#VCS="bzr"
#VCS="darcs"
# Options passed to git commit when run by etckeeper.
GIT_COMMIT_OPTIONS=""
# Options passed to hg commit when run by etckeeper.
HG_COMMIT_OPTIONS=""
# Options passed to bzr commit when run by etckeeper.
BZR_COMMIT_OPTIONS=""
# Options passed to darcs record when run by etckeeper.
DARCS_COMMIT_OPTIONS="-a"
# Etckeeper includes both a cron job and a systemd timer, which each
# can commit exiting changes to /etc automatically once per day.
# To enable the systemd timer, run: systemctl enable etckeeper.timer
# The cron job is enabled by default; to disable it, uncomment this next line.
#AVOID_DAILY_AUTOCOMMITS=1
# Uncomment the following to avoid special file warning
# (the option is enabled automatically for daily autocommits regardless).
#AVOID_SPECIAL_FILE_WARNING=1
# Uncomment to avoid etckeeper committing existing changes to
# /etc before installation. It will cancel the installation,
# so you can commit the changes by hand.
#AVOID_COMMIT_BEFORE_INSTALL=1
# The high-level package manager that's being used.
# (apt, pacman, pacman-g2, yum, dnf, zypper, apk, xbps, emerge, cave, etc)
HIGHLEVEL_PACKAGE_MANAGER=dnf
# The low-level package manager that's being used.
# (dpkg, rpm, pacman, pacmatic, pacman-g2, apk, xbps, cave, qlist, etc)
LOWLEVEL_PACKAGE_MANAGER=rpm
# To push each commit to a remote, put the name of the remote here.
# (eg, "origin" for git). Space-separated lists of multiple remotes
# also work (eg, "origin gitlab github" for git).
PUSH_REMOTE=""

391
fail2ban/action.d/badips.py.rpmnew
View File

@@ -1,391 +0,0 @@
# emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*-
# vi: set ft=python sts=4 ts=4 sw=4 noet :
# This file is part of Fail2Ban.
#
# Fail2Ban is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# Fail2Ban is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Fail2Ban; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
import sys
if sys.version_info < (2, 7): # pragma: no cover
raise ImportError("badips.py action requires Python >= 2.7")
import json
import threading
import logging
if sys.version_info >= (3, ): # pragma: 2.x no cover
from urllib.request import Request, urlopen
from urllib.parse import urlencode
from urllib.error import HTTPError
else: # pragma: 3.x no cover
from urllib2 import Request, urlopen, HTTPError
from urllib import urlencode
from fail2ban.server.actions import Actions, ActionBase, BanTicket
from fail2ban.helpers import splitwords, str2LogLevel
class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable
"""Fail2Ban action which reports bans to badips.com, and also
blacklist bad IPs listed on badips.com by using another action's
ban method.
Parameters
----------
jail : Jail
The jail which the action belongs to.
name : str
Name assigned to the action.
category : str
Valid badips.com category for reporting failures.
score : int, optional
Minimum score for bad IPs. Default 3.
age : str, optional
Age of last report for bad IPs, per badips.com syntax.
Default "24h" (24 hours)
banaction : str, optional
Name of banaction to use for blacklisting bad IPs. If `None`,
no blacklist of IPs will take place.
Default `None`.
bancategory : str, optional
Name of category to use for blacklisting, which can differ
from category used for reporting. e.g. may want to report
"postfix", but want to use whole "mail" category for blacklist.
Default `category`.
bankey : str, optional
Key issued by badips.com to retrieve personal list
of blacklist IPs.
updateperiod : int, optional
Time in seconds between updating bad IPs blacklist.
Default 900 (15 minutes)
loglevel : int/str, optional
Log level of the message when an IP is (un)banned.
Default `DEBUG`.
Can be also supplied as two-value list (comma- or space separated) to
provide level of the summary message when a group of IPs is (un)banned.
Example `DEBUG,INFO`.
agent : str, optional
User agent transmitted to server.
Default `Fail2Ban/ver.`
Raises
------
ValueError
If invalid `category`, `score`, `banaction` or `updateperiod`.
"""
TIMEOUT = 10
_badips = "https://www.badips.com"
def _Request(self, url, **argv):
return Request(url, headers={'User-Agent': self.agent}, **argv)
def __init__(self, jail, name, category, score=3, age="24h",
banaction=None, bancategory=None, bankey=None, updateperiod=900,
loglevel='DEBUG', agent="Fail2Ban", timeout=TIMEOUT):
super(BadIPsAction, self).__init__(jail, name)
self.timeout = timeout
self.agent = agent
self.category = category
self.score = score
self.age = age
self.banaction = banaction
self.bancategory = bancategory or category
self.bankey = bankey
loglevel = splitwords(loglevel)
self.sumloglevel = str2LogLevel(loglevel[-1])
self.loglevel = str2LogLevel(loglevel[0])
self.updateperiod = updateperiod
self._bannedips = set()
# Used later for threading.Timer for updating badips
self._timer = None
@staticmethod
def isAvailable(timeout=1):
try:
response = urlopen(Request("/".join([BadIPsAction._badips]),
headers={'User-Agent': "Fail2Ban"}), timeout=timeout)
return True, ''
except Exception as e: # pragma: no cover
return False, e
def logError(self, response, what=''): # pragma: no cover - sporadical (502: Bad Gateway, etc)
messages = {}
try:
messages = json.loads(response.read().decode('utf-8'))
except:
pass
self._logSys.error(
"%s. badips.com response: '%s'", what,
messages.get('err', 'Unknown'))
def getCategories(self, incParents=False):
"""Get badips.com categories.
Returns
-------
set
Set of categories.
Raises
------
HTTPError
Any issues with badips.com request.
ValueError
If badips.com response didn't contain necessary information
"""
try:
response = urlopen(
self._Request("/".join([self._badips, "get", "categories"])), timeout=self.timeout)
except HTTPError as response: # pragma: no cover
self.logError(response, "Failed to fetch categories")
raise
else:
response_json = json.loads(response.read().decode('utf-8'))
if not 'categories' in response_json:
err = "badips.com response lacked categories specification. Response was: %s" \
% (response_json,)
self._logSys.error(err)
raise ValueError(err)
categories = response_json['categories']
categories_names = set(
value['Name'] for value in categories)
if incParents:
categories_names.update(set(
value['Parent'] for value in categories
if "Parent" in value))
return categories_names
def getList(self, category, score, age, key=None):
"""Get badips.com list of bad IPs.
Parameters
----------
category : str
Valid badips.com category.
score : int
Minimum score for bad IPs.
age : str
Age of last report for bad IPs, per badips.com syntax.
key : str, optional
Key issued by badips.com to fetch IPs reported with the
associated key.
Returns
-------
set
Set of bad IPs.
Raises
------
HTTPError
Any issues with badips.com request.
"""
try:
url = "?".join([
"/".join([self._badips, "get", "list", category, str(score)]),
urlencode({'age': age})])
if key:
url = "&".join([url, urlencode({'key': key})])
self._logSys.debug('badips.com: get list, url: %r', url)
response = urlopen(self._Request(url), timeout=self.timeout)
except HTTPError as response: # pragma: no cover
self.logError(response, "Failed to fetch bad IP list")
raise
else:
return set(response.read().decode('utf-8').split())
@property
def category(self):
"""badips.com category for reporting IPs.
"""
return self._category
@category.setter
def category(self, category):
if category not in self.getCategories():
self._logSys.error("Category name '%s' not valid. "
"see badips.com for list of valid categories",
category)
raise ValueError("Invalid category: %s" % category)
self._category = category
@property
def bancategory(self):
"""badips.com bancategory for fetching IPs.
"""
return self._bancategory
@bancategory.setter
def bancategory(self, bancategory):
if bancategory != "any" and bancategory not in self.getCategories(incParents=True):
self._logSys.error("Category name '%s' not valid. "
"see badips.com for list of valid categories",
bancategory)
raise ValueError("Invalid bancategory: %s" % bancategory)
self._bancategory = bancategory
@property
def score(self):
"""badips.com minimum score for fetching IPs.
"""
return self._score
@score.setter
def score(self, score):
score = int(score)
if 0 <= score <= 5:
self._score = score
else:
raise ValueError("Score must be 0-5")
@property
def banaction(self):
"""Jail action to use for banning/unbanning.
"""
return self._banaction
@banaction.setter
def banaction(self, banaction):
if banaction is not None and banaction not in self._jail.actions:
self._logSys.error("Action name '%s' not in jail '%s'",
banaction, self._jail.name)
raise ValueError("Invalid banaction")
self._banaction = banaction
@property
def updateperiod(self):
"""Period in seconds between banned bad IPs will be updated.
"""
return self._updateperiod
@updateperiod.setter
def updateperiod(self, updateperiod):
updateperiod = int(updateperiod)
if updateperiod > 0:
self._updateperiod = updateperiod
else:
raise ValueError("Update period must be integer greater than 0")
def _banIPs(self, ips):
for ip in ips:
try:
ai = Actions.ActionInfo(BanTicket(ip), self._jail)
self._jail.actions[self.banaction].ban(ai)
except Exception as e:
self._logSys.error(
"Error banning IP %s for jail '%s' with action '%s': %s",
ip, self._jail.name, self.banaction, e,
exc_info=self._logSys.getEffectiveLevel()<=logging.DEBUG)
else:
self._bannedips.add(ip)
self._logSys.log(self.loglevel,
"Banned IP %s for jail '%s' with action '%s'",
ip, self._jail.name, self.banaction)
def _unbanIPs(self, ips):
for ip in ips:
try:
ai = Actions.ActionInfo(BanTicket(ip), self._jail)
self._jail.actions[self.banaction].unban(ai)
except Exception as e:
self._logSys.error(
"Error unbanning IP %s for jail '%s' with action '%s': %s",
ip, self._jail.name, self.banaction, e,
exc_info=self._logSys.getEffectiveLevel()<=logging.DEBUG)
else:
self._logSys.log(self.loglevel,
"Unbanned IP %s for jail '%s' with action '%s'",
ip, self._jail.name, self.banaction)
finally:
self._bannedips.remove(ip)
def start(self):
"""If `banaction` set, blacklists bad IPs.
"""
if self.banaction is not None:
self.update()
def update(self):
"""If `banaction` set, updates blacklisted IPs.
Queries badips.com for list of bad IPs, removing IPs from the
blacklist if no longer present, and adds new bad IPs to the
blacklist.
"""
if self.banaction is not None:
if self._timer:
self._timer.cancel()
self._timer = None
try:
ips = self.getList(
self.bancategory, self.score, self.age, self.bankey)
# Remove old IPs no longer listed
s = self._bannedips - ips
m = len(s)
self._unbanIPs(s)
# Add new IPs which are now listed
s = ips - self._bannedips
p = len(s)
self._banIPs(s)
if m != 0 or p != 0:
self._logSys.log(self.sumloglevel,
"Updated IPs for jail '%s' (-%d/+%d)",
self._jail.name, m, p)
self._logSys.debug(
"Next update for jail '%' in %i seconds",
self._jail.name, self.updateperiod)
finally:
self._timer = threading.Timer(self.updateperiod, self.update)
self._timer.start()
def stop(self):
"""If `banaction` set, clears blacklisted IPs.
"""
if self.banaction is not None:
if self._timer:
self._timer.cancel()
self._timer = None
self._unbanIPs(self._bannedips.copy())
def ban(self, aInfo):
"""Reports banned IP to badips.com.
Parameters
----------
aInfo : dict
Dictionary which includes information in relation to
the ban.
Raises
------
HTTPError
Any issues with badips.com request.
"""
try:
url = "/".join([self._badips, "add", self.category, str(aInfo['ip'])])
self._logSys.debug('badips.com: ban, url: %r', url)
response = urlopen(self._Request(url), timeout=self.timeout)
except HTTPError as response: # pragma: no cover
self.logError(response, "Failed to ban")
raise
else:
messages = json.loads(response.read().decode('utf-8'))
self._logSys.debug(
"Response from badips.com report: '%s'",
messages['suc'])
Action = BadIPsAction

377
fail2ban/action.d/badips.py.rpmsave
View File

@@ -1,377 +0,0 @@
# emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*-
# vi: set ft=python sts=4 ts=4 sw=4 noet :
# This file is part of Fail2Ban.
#
# Fail2Ban is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# Fail2Ban is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Fail2Ban; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
import sys
if sys.version_info < (2, 7):
raise ImportError("badips.py action requires Python >= 2.7")
import json
import threading
import logging
if sys.version_info >= (3, ):
from urllib.request import Request, urlopen
from urllib.parse import urlencode
from urllib.error import HTTPError
else:
from urllib2 import Request, urlopen, HTTPError
from urllib import urlencode
from fail2ban.server.actions import ActionBase
class BadIPsAction(ActionBase):
"""Fail2Ban action which reports bans to badips.com, and also
blacklist bad IPs listed on badips.com by using another action's
ban method.
Parameters
----------
jail : Jail
The jail which the action belongs to.
name : str
Name assigned to the action.
category : str
Valid badips.com category for reporting failures.
score : int, optional
Minimum score for bad IPs. Default 3.
age : str, optional
Age of last report for bad IPs, per badips.com syntax.
Default "24h" (24 hours)
key : str, optional
Key issued by badips.com to report bans, for later retrieval
of personalised content.
banaction : str, optional
Name of banaction to use for blacklisting bad IPs. If `None`,
no blacklist of IPs will take place.
Default `None`.
bancategory : str, optional
Name of category to use for blacklisting, which can differ
from category used for reporting. e.g. may want to report
"postfix", but want to use whole "mail" category for blacklist.
Default `category`.
bankey : str, optional
Key issued by badips.com to blacklist IPs reported with the
associated key.
updateperiod : int, optional
Time in seconds between updating bad IPs blacklist.
Default 900 (15 minutes)
agent : str, optional
User agent transmitted to server.
Default `Fail2Ban/ver.`
Raises
------
ValueError
If invalid `category`, `score`, `banaction` or `updateperiod`.
"""
TIMEOUT = 10
_badips = "http://www.badips.com"
def _Request(self, url, **argv):
return Request(url, headers={'User-Agent': self.agent}, **argv)
def __init__(self, jail, name, category, score=3, age="24h", key=None,
banaction=None, bancategory=None, bankey=None, updateperiod=900, agent="Fail2Ban",
timeout=TIMEOUT):
super(BadIPsAction, self).__init__(jail, name)
self.timeout = timeout
self.agent = agent
self.category = category
self.score = score
self.age = age
self.key = key
self.banaction = banaction
self.bancategory = bancategory or category
self.bankey = bankey
self.updateperiod = updateperiod
self._bannedips = set()
# Used later for threading.Timer for updating badips
self._timer = None
def getCategories(self, incParents=False):
"""Get badips.com categories.
Returns
-------
set
Set of categories.
Raises
------
HTTPError
Any issues with badips.com request.
ValueError
If badips.com response didn't contain necessary information
"""
try:
response = urlopen(
self._Request("/".join([self._badips, "get", "categories"])), timeout=self.timeout)
except HTTPError as response:
messages = json.loads(response.read().decode('utf-8'))
self._logSys.error(
"Failed to fetch categories. badips.com response: '%s'",
messages['err'])
raise
else:
response_json = json.loads(response.read().decode('utf-8'))
if not 'categories' in response_json:
err = "badips.com response lacked categories specification. Response was: %s" \
% (response_json,)
self._logSys.error(err)
raise ValueError(err)
categories = response_json['categories']
categories_names = set(
value['Name'] for value in categories)
if incParents:
categories_names.update(set(
value['Parent'] for value in categories
if "Parent" in value))
return categories_names
def getList(self, category, score, age, key=None):
"""Get badips.com list of bad IPs.
Parameters
----------
category : str
Valid badips.com category.
score : int
Minimum score for bad IPs.
age : str
Age of last report for bad IPs, per badips.com syntax.
key : str, optional
Key issued by badips.com to fetch IPs reported with the
associated key.
Returns
-------
set
Set of bad IPs.
Raises
------
HTTPError
Any issues with badips.com request.
"""
try:
url = "?".join([
"/".join([self._badips, "get", "list", category, str(score)]),
urlencode({'age': age})])
if key:
url = "&".join([url, urlencode({'key': key})])
response = urlopen(self._Request(url), timeout=self.timeout)
except HTTPError as response:
messages = json.loads(response.read().decode('utf-8'))
self._logSys.error(
"Failed to fetch bad IP list. badips.com response: '%s'",
messages['err'])
raise
else:
return set(response.read().decode('utf-8').split())
@property
def category(self):
"""badips.com category for reporting IPs.
"""
return self._category
@category.setter
def category(self, category):
if category not in self.getCategories():
self._logSys.error("Category name '%s' not valid. "
"see badips.com for list of valid categories",
category)
raise ValueError("Invalid category: %s" % category)
self._category = category
@property
def bancategory(self):
"""badips.com bancategory for fetching IPs.
"""
return self._bancategory
@bancategory.setter
def bancategory(self, bancategory):
if bancategory not in self.getCategories(incParents=True):
self._logSys.error("Category name '%s' not valid. "
"see badips.com for list of valid categories",
bancategory)
raise ValueError("Invalid bancategory: %s" % bancategory)
self._bancategory = bancategory
@property
def score(self):
"""badips.com minimum score for fetching IPs.
"""
return self._score
@score.setter
def score(self, score):
score = int(score)
if 0 <= score <= 5:
self._score = score
else:
raise ValueError("Score must be 0-5")
@property
def banaction(self):
"""Jail action to use for banning/unbanning.
"""
return self._banaction
@banaction.setter
def banaction(self, banaction):
if banaction is not None and banaction not in self._jail.actions:
self._logSys.error("Action name '%s' not in jail '%s'",
banaction, self._jail.name)
raise ValueError("Invalid banaction")
self._banaction = banaction
@property
def updateperiod(self):
"""Period in seconds between banned bad IPs will be updated.
"""
return self._updateperiod
@updateperiod.setter
def updateperiod(self, updateperiod):
updateperiod = int(updateperiod)
if updateperiod > 0:
self._updateperiod = updateperiod
else:
raise ValueError("Update period must be integer greater than 0")
def _banIPs(self, ips):
for ip in ips:
try:
self._jail.actions[self.banaction].ban({
'ip': ip,
'failures': 0,
'matches': "",
'ipmatches': "",
'ipjailmatches': "",
})
except Exception as e:
self._logSys.error(
"Error banning IP %s for jail '%s' with action '%s': %s",
ip, self._jail.name, self.banaction, e,
exc_info=self._logSys.getEffectiveLevel()<=logging.DEBUG)
else:
self._bannedips.add(ip)
self._logSys.info(
"Banned IP %s for jail '%s' with action '%s'",
ip, self._jail.name, self.banaction)
def _unbanIPs(self, ips):
for ip in ips:
try:
self._jail.actions[self.banaction].unban({
'ip': ip,
'failures': 0,
'matches': "",
'ipmatches': "",
'ipjailmatches': "",
})
except Exception as e:
self._logSys.info(
"Error unbanning IP %s for jail '%s' with action '%s': %s",
ip, self._jail.name, self.banaction, e,
exc_info=self._logSys.getEffectiveLevel()<=logging.DEBUG)
else:
self._logSys.info(
"Unbanned IP %s for jail '%s' with action '%s'",
ip, self._jail.name, self.banaction)
finally:
self._bannedips.remove(ip)
def start(self):
"""If `banaction` set, blacklists bad IPs.
"""
if self.banaction is not None:
self.update()
def update(self):
"""If `banaction` set, updates blacklisted IPs.
Queries badips.com for list of bad IPs, removing IPs from the
blacklist if no longer present, and adds new bad IPs to the
blacklist.
"""
if self.banaction is not None:
if self._timer:
self._timer.cancel()
self._timer = None
try:
ips = self.getList(
self.bancategory, self.score, self.age, self.bankey)
# Remove old IPs no longer listed
self._unbanIPs(self._bannedips - ips)
# Add new IPs which are now listed
self._banIPs(ips - self._bannedips)
self._logSys.info(
"Updated IPs for jail '%s'. Update again in %i seconds",
self._jail.name, self.updateperiod)
finally:
self._timer = threading.Timer(self.updateperiod, self.update)
self._timer.start()
def stop(self):
"""If `banaction` set, clears blacklisted IPs.
"""
if self.banaction is not None:
if self._timer:
self._timer.cancel()
self._timer = None
self._unbanIPs(self._bannedips.copy())
def ban(self, aInfo):
"""Reports banned IP to badips.com.
Parameters
----------
aInfo : dict
Dictionary which includes information in relation to
the ban.
Raises
------
HTTPError
Any issues with badips.com request.
"""
try:
url = "/".join([self._badips, "add", self.category, aInfo['ip']])
if self.key:
url = "?".join([url, urlencode({'key': self.key})])
response = urlopen(self._Request(url), timeout=self.timeout)
except HTTPError as response:
messages = json.loads(response.read().decode('utf-8'))
self._logSys.error(
"Response from badips.com report: '%s'",
messages['err'])
raise
else:
messages = json.loads(response.read().decode('utf-8'))
self._logSys.info(
"Response from badips.com report: '%s'",
messages['suc'])
Action = BadIPsAction

93
fail2ban/action.d/iptables-common.conf.rpmsave
View File

@@ -1,93 +0,0 @@
# Fail2Ban configuration file
#
# Author: Daniel Black
#
# This is a included configuration file and includes the definitions for the iptables
# used in all iptables based actions by default.
#
# The user can override the defaults in iptables-common.local
#
# Modified: Alexander Koeppe <format_c@online.de>, Serg G. Brester <serg.brester@sebres.de>
# made config file IPv6 capable (see new section Init?family=inet6)
[INCLUDES]
after = iptables-blocktype.local
iptables-common.local
# iptables-blocktype.local is obsolete
[Definition]
# Option: actionflush
# Notes.: command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)
# Values: CMD
#
actionflush = <iptables> -F f2b-<name>
[Init]
# Option: chain
# Notes specifies the iptables chain to which the Fail2Ban rules should be
# added
# Values: STRING Default: INPUT
chain = INPUT
# Default name of the chain
#
name = default
# Option: port
# Notes.: specifies port to monitor
# Values: [ NUM | STRING ] Default:
#
port = ssh
# Option: protocol
# Notes.: internally used by config reader for interpolations.
# Values: [ tcp | udp | icmp | all ] Default: tcp
#
protocol = tcp
# Option: blocktype
# Note: This is what the action does with rules. This can be any jump target
# as per the iptables man page (section 8). Common values are DROP
# REJECT, REJECT --reject-with icmp-port-unreachable
# Values: STRING
#blocktype = REJECT --reject-with icmp-port-unreachable
blocktype = DROP
# Option: returntype
# Note: This is the default rule on "actionstart". This should be RETURN
# in all (blocking) actions, except REJECT in allowing actions.
# Values: STRING
returntype = RETURN
# Option: lockingopt
# Notes.: Option was introduced to iptables to prevent multiple instances from
# running concurrently and causing irratic behavior. -w was introduced
# in iptables 1.4.20, so might be absent on older systems
# See https://github.com/fail2ban/fail2ban/issues/1122
# Values: STRING
lockingopt = -w
# Option: iptables
# Notes.: Actual command to be executed, including common to all calls options
# Values: STRING
iptables = iptables <lockingopt>
[Init?family=inet6]
# Option: blocktype (ipv6)
# Note: This is what the action does with rules. This can be any jump target
# as per the iptables man page (section 8). Common values are DROP
# REJECT, REJECT --reject-with icmp6-port-unreachable
# Values: STRING
blocktype = REJECT --reject-with icmp6-port-unreachable
# Option: iptables (ipv6)
# Notes.: Actual command to be executed, including common to all calls options
# Values: STRING
iptables = ip6tables <lockingopt>

90
fail2ban/action.d/iptables-ipset.conf.rpmnew
View File

@@ -1,90 +0,0 @@
# Fail2Ban configuration file
#
# Authors: Sergey G Brester (sebres), Daniel Black, Alexander Koeppe
#
# This is for ipset protocol 6 (and hopefully later) (ipset v6.14).
# Use ipset -V to see the protocol and version. Version 4 should use
# iptables-ipset-proto4.conf.
#
# This requires the program ipset which is normally in package called ipset.
#
# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
#
# If you are running on an older kernel you make need to patch in external
# modules.
#
[INCLUDES]
before = iptables.conf
[Definition]
# Option: actionstart
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart = ipset -exist create <ipmset> hash:ip timeout <default-ipsettime> <familyopt>
<_ipt_add_rules>
# Option: actionflush
# Notes.: command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)
# Values: CMD
#
actionflush = ipset flush <ipmset>
# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = <_ipt_del_rules>
<actionflush>
ipset destroy <ipmset>
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = ipset -exist add <ipmset> <ip> timeout <ipsettime>
# actionprolong = %(actionban)s
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = ipset -exist del <ipmset> <ip>
# Several capabilities used internaly:
rule-jump = -m set --match-set <ipmset> src -j <blocktype>
[Init]
# Option: default-ipsettime
# Notes: specifies default timeout in seconds (handled default ipset timeout only)
# Values: [ NUM ] Default: 0 (no timeout, managed by fail2ban by unban)
default-ipsettime = 0
# Option: ipsettime
# Notes: specifies ticket timeout (handled ipset timeout only)
# Values: [ NUM ] Default: 0 (managed by fail2ban by unban)
ipsettime = 0
# expresion to caclulate timeout from bantime, example:
# banaction = %(known/banaction)s[ipsettime='<timeout-bantime>']
timeout-bantime = $([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)
ipmset = f2b-<name>
familyopt =
[Init?family=inet6]
ipmset = f2b-<name>6
familyopt = family inet6

62
fail2ban/action.d/mail.conf.rpmsave
View File

@@ -1,62 +0,0 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
#
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = printf %%b "Hi,\n
The jail <name> has been started successfully.\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: started on `uname -n`" <dest>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = printf %%b "Hi,\n
The jail <name> has been stopped.\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on `uname -n`" <dest>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = printf %%b "Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from `uname -n`" <dest>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban =
[Init]
# Default name of the chain
#
name = default
# Destination/Addressee of the mail
#
dest = bogdan@898.ro

230
fail2ban/action.d/smtp.py.rpmnew
View File

@@ -1,230 +0,0 @@
# emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*-
# vi: set ft=python sts=4 ts=4 sw=4 noet :
# This file is part of Fail2Ban.
#
# Fail2Ban is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# Fail2Ban is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Fail2Ban; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
import socket
import smtplib
from email.mime.text import MIMEText
from email.utils import formatdate, formataddr
from fail2ban.server.actions import ActionBase, CallingMap
messages = {}
messages['start'] = \
"""Hi,
The jail %(jailname)s has been started successfully.
Regards,
Fail2Ban"""
messages['stop'] = \
"""Hi,
The jail %(jailname)s has been stopped.
Regards,
Fail2Ban"""
messages['ban'] = {}
messages['ban']['head'] = \
"""Hi,
The IP %(ip)s has just been banned for %(bantime)i seconds
by Fail2Ban after %(failures)i attempts against %(jailname)s.
"""
messages['ban']['tail'] = \
"""
Regards,
Fail2Ban"""
messages['ban']['matches'] = \
"""
Matches for this ban:
%(matches)s
"""
messages['ban']['ipmatches'] = \
"""
Matches for %(ip)s:
%(ipmatches)s
"""
messages['ban']['ipjailmatches'] = \
"""
Matches for %(ip)s for jail %(jailname)s:
%(ipjailmatches)s
"""
class SMTPAction(ActionBase):
"""Fail2Ban action which sends emails to inform on jail starting,
stopping and bans.
"""
def __init__(
self, jail, name, host="localhost", user=None, password=None,
sendername="Fail2Ban", sender="fail2ban", dest="root", matches=None):
"""Initialise action.
Parameters
----------
jail : Jail
The jail which the action belongs to.
name : str
Named assigned to the action.
host : str, optional
SMTP host, of host:port format. Default host "localhost" and
port "25"
user : str, optional
Username used for authentication with SMTP server.
password : str, optional
Password used for authentication with SMTP server.
sendername : str, optional
Name to use for from address in email. Default "Fail2Ban".
sender : str, optional
Email address to use for from address in email.
Default "fail2ban".
dest : str, optional
Email addresses of intended recipient(s) in comma space ", "
delimited format. Default "root".
matches : str, optional
Type of matches to be included from ban in email. Can be one
of "matches", "ipmatches" or "ipjailmatches". Default None
(see man jail.conf.5).
"""
super(SMTPAction, self).__init__(jail, name)
self.host = host
#TODO: self.ssl = ssl
self.user = user
self.password =password
self.fromname = sendername
self.fromaddr = sender
self.toaddr = dest
self.matches = matches
self.message_values = CallingMap(
jailname = self._jail.name,
hostname = socket.gethostname,
bantime = lambda: self._jail.actions.getBanTime(),
)
# bypass ban/unban for restored tickets
self.norestored = 1
def _sendMessage(self, subject, text):
"""Sends message based on arguments and instance's properties.
Parameters
----------
subject : str
Subject of the email.
text : str
Body of the email.
Raises
------
SMTPConnectionError
Error on connecting to host.
SMTPAuthenticationError
Error authenticating with SMTP server.
SMTPException
See Python `smtplib` for full list of other possible
exceptions.
"""
msg = MIMEText(text)
msg['Subject'] = subject
msg['From'] = formataddr((self.fromname, self.fromaddr))
msg['To'] = self.toaddr
msg['Date'] = formatdate()
smtp = smtplib.SMTP()
try:
self._logSys.debug("Connected to SMTP '%s', response: %i: %s",
self.host, *smtp.connect(self.host))
if self.user and self.password: # pragma: no cover (ATM no tests covering that)
smtp.login(self.user, self.password)
failed_recipients = smtp.sendmail(
self.fromaddr, self.toaddr.split(", "), msg.as_string())
except smtplib.SMTPConnectError: # pragma: no cover
self._logSys.error("Error connecting to host '%s'", self.host)
raise
except smtplib.SMTPAuthenticationError: # pragma: no cover
self._logSys.error(
"Failed to authenticate with host '%s' user '%s'",
self.host, self.user)
raise
except smtplib.SMTPException: # pragma: no cover
self._logSys.error(
"Error sending mail to host '%s' from '%s' to '%s'",
self.host, self.fromaddr, self.toaddr)
raise
else:
if failed_recipients: # pragma: no cover
self._logSys.warning(
"Email to '%s' failed to following recipients: %r",
self.toaddr, failed_recipients)
self._logSys.debug("Email '%s' successfully sent", subject)
finally:
try:
self._logSys.debug("Disconnected from '%s', response %i: %s",
self.host, *smtp.quit())
except smtplib.SMTPServerDisconnected: # pragma: no cover
pass # Not connected
def start(self):
"""Sends email to recipients informing that the jail has started.
"""
self._sendMessage(
"[Fail2Ban] %(jailname)s: started on %(hostname)s" %
self.message_values,
messages['start'] % self.message_values)
def stop(self):
"""Sends email to recipients informing that the jail has stopped.
"""
self._sendMessage(
"[Fail2Ban] %(jailname)s: stopped on %(hostname)s" %
self.message_values,
messages['stop'] % self.message_values)
def ban(self, aInfo):
"""Sends email to recipients informing that ban has occurred.
Parameters
----------
aInfo : dict
Dictionary which includes information in relation to
the ban.
"""
if aInfo.get('restored'):
return
aInfo.update(self.message_values)
message = "".join([
messages['ban']['head'],
messages['ban'].get(self.matches, ""),
messages['ban']['tail']
])
self._sendMessage(
"[Fail2Ban] %(jailname)s: banned %(ip)s from %(hostname)s" %
aInfo,
message % aInfo)
Action = SMTPAction

225
fail2ban/action.d/smtp.py.rpmsave
View File

@@ -1,225 +0,0 @@
# emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*-
# vi: set ft=python sts=4 ts=4 sw=4 noet :
# This file is part of Fail2Ban.
#
# Fail2Ban is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# Fail2Ban is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Fail2Ban; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
import socket
import smtplib
from email.mime.text import MIMEText
from email.utils import formatdate, formataddr
from fail2ban.server.actions import ActionBase, CallingMap
messages = {}
messages['start'] = \
"""Hi,
The jail %(jailname)s has been started successfully.
Regards,
Fail2Ban"""
messages['stop'] = \
"""Hi,
The jail %(jailname)s has been stopped.
Regards,
Fail2Ban"""
messages['ban'] = {}
messages['ban']['head'] = \
"""Hi,
The IP %(ip)s has just been banned for %(bantime)i seconds
by Fail2Ban after %(failures)i attempts against %(jailname)s.
"""
messages['ban']['tail'] = \
"""
Regards,
Fail2Ban"""
messages['ban']['matches'] = \
"""
Matches for this ban:
%(matches)s
"""
messages['ban']['ipmatches'] = \
"""
Matches for %(ip)s:
%(ipmatches)s
"""
messages['ban']['ipjailmatches'] = \
"""
Matches for %(ip)s for jail %(jailname)s:
%(ipjailmatches)s
"""
class SMTPAction(ActionBase):
"""Fail2Ban action which sends emails to inform on jail starting,
stopping and bans.
"""
def __init__(
self, jail, name, host="localhost", user=None, password=None,
sendername="Fail2Ban", sender="fail2ban", dest="root", matches=None):
"""Initialise action.
Parameters
----------
jail : Jail
The jail which the action belongs to.
name : str
Named assigned to the action.
host : str, optional
SMTP host, of host:port format. Default host "localhost" and
port "25"
user : str, optional
Username used for authentication with SMTP server.
password : str, optional
Password used for authentication with SMTP server.
sendername : str, optional
Name to use for from address in email. Default "Fail2Ban".
sender : str, optional
Email address to use for from address in email.
Default "fail2ban".
dest : str, optional
Email addresses of intended recipient(s) in comma space ", "
delimited format. Default "root".
matches : str, optional
Type of matches to be included from ban in email. Can be one
of "matches", "ipmatches" or "ipjailmatches". Default None
(see man jail.conf.5).
"""
super(SMTPAction, self).__init__(jail, name)
self.host = host
#TODO: self.ssl = ssl
self.user = user
self.password =password
self.fromname = sendername
self.fromaddr = sender
self.toaddr = dest
self.matches = matches
self.message_values = CallingMap(
jailname = self._jail.name,
hostname = socket.gethostname,
bantime = self._jail.actions.getBanTime,
)
def _sendMessage(self, subject, text):
"""Sends message based on arguments and instance's properties.
Parameters
----------
subject : str
Subject of the email.
text : str
Body of the email.
Raises
------
SMTPConnectionError
Error on connecting to host.
SMTPAuthenticationError
Error authenticating with SMTP server.
SMTPException
See Python `smtplib` for full list of other possible
exceptions.
"""
msg = MIMEText(text)
msg['Subject'] = subject
msg['From'] = formataddr((self.fromname, self.fromaddr))
msg['To'] = self.toaddr
msg['Date'] = formatdate()
smtp = smtplib.SMTP()
try:
self._logSys.debug("Connected to SMTP '%s', response: %i: %s",
self.host, *smtp.connect(self.host))
if self.user and self.password:
smtp.login(self.user, self.password)
failed_recipients = smtp.sendmail(
self.fromaddr, self.toaddr.split(", "), msg.as_string())
except smtplib.SMTPConnectError:
self._logSys.error("Error connecting to host '%s'", self.host)
raise
except smtplib.SMTPAuthenticationError:
self._logSys.error(
"Failed to authenticate with host '%s' user '%s'",
self.host, self.user)
raise
except smtplib.SMTPException:
self._logSys.error(
"Error sending mail to host '%s' from '%s' to '%s'",
self.host, self.fromaddr, self.toaddr)
raise
else:
if failed_recipients:
self._logSys.warning(
"Email to '%s' failed to following recipients: %r",
self.toaddr, failed_recipients)
self._logSys.debug("Email '%s' successfully sent", subject)
finally:
try:
self._logSys.debug("Disconnected from '%s', response %i: %s",
self.host, *smtp.quit())
except smtplib.SMTPServerDisconnected:
pass # Not connected
def start(self):
"""Sends email to recipients informing that the jail has started.
"""
self._sendMessage(
"[Fail2Ban] %(jailname)s: started on %(hostname)s" %
self.message_values,
messages['start'] % self.message_values)
def stop(self):
"""Sends email to recipients informing that the jail has stopped.
"""
self._sendMessage(
"[Fail2Ban] %(jailname)s: stopped on %(hostname)s" %
self.message_values,
messages['stop'] % self.message_values)
def ban(self, aInfo):
"""Sends email to recipients informing that ban has occurred.
Parameters
----------
aInfo : dict
Dictionary which includes information in relation to
the ban.
"""
aInfo.update(self.message_values)
message = "".join([
messages['ban']['head'],
messages['ban'].get(self.matches, ""),
messages['ban']['tail']
])
self._sendMessage(
"[Fail2Ban] %(jailname)s: banned %(ip)s from %(hostname)s" %
aInfo,
message % aInfo)
Action = SMTPAction

69
fail2ban/fail2ban.conf.rpmsave
View File

@@ -1,69 +0,0 @@
# Fail2Ban main configuration file
#
# Comments: use '#' for comment lines and ';' (following a space) for inline comments
#
# Changes: in most of the cases you should not modify this
# file, but provide customizations in fail2ban.local file, e.g.:
#
# [Definition]
# loglevel = DEBUG
#
[Definition]
# Option: loglevel
# Notes.: Set the log level output.
# CRITICAL
# ERROR
# WARNING
# NOTICE
# INFO
# DEBUG
# Values: [ LEVEL ] Default: ERROR
#
loglevel = INFO
# Option: logtarget
# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
# Only one log target can be specified.
# If you change logtarget from the default value and you are
# using logrotate -- also adjust or disable rotation in the
# corresponding configuration file
# (e.g. /etc/logrotate.d/fail2ban on Debian systems)
# Values: [ STDOUT | STDERR | SYSLOG | FILE ] Default: STDERR
#
logtarget = /var/log/fail2ban.log
# Option: syslogsocket
# Notes: Set the syslog socket file. Only used when logtarget is SYSLOG
# auto uses platform.system() to determine predefined paths
# Values: [ auto | FILE ] Default: auto
syslogsocket = auto
# Option: socket
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
# not remove this file when Fail2ban runs. It will not be possible to
# communicate with the server afterwards.
# Values: [ FILE ] Default: /var/run/fail2ban/fail2ban.sock
#
socket = /var/run/fail2ban/fail2ban.sock
# Option: pidfile
# Notes.: Set the PID file. This is used to store the process ID of the
# fail2ban server.
# Values: [ FILE ] Default: /var/run/fail2ban/fail2ban.pid
#
pidfile = /var/run/fail2ban/fail2ban.pid
# Options: dbfile
# Notes.: Set the file for the fail2ban persistent data to be stored.
# A value of ":memory:" means database is only stored in memory
# and data is lost when fail2ban is stopped.
# A value of "None" disables the database.
# Values: [ None :memory: FILE ] Default: /var/lib/fail2ban/fail2ban.sqlite3
dbfile = /var/lib/fail2ban/fail2ban.sqlite3
# Options: dbpurgeage
# Notes.: Sets age at which bans should be purged from the database
# Values: [ SECONDS ] Default: 86400 (24hours)
dbpurgeage = 86400

47
fail2ban/filter.d/dovecot.conf.rpmnew
View File

@@ -1,47 +0,0 @@
# Fail2Ban filter Dovecot authentication and pop3/imap server
#
[INCLUDES]
before = common.conf
[Definition]
_auth_worker = (?:dovecot: )?auth(?:-worker)?
_daemon = (?:dovecot(?:-auth)?|auth)
prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap|managesieve|submission)-login: )?(?:Info: )?<F-CONTENT>.+</F-CONTENT>$
failregex = ^authentication failure; logname=<F-ALT_USER1>\S*</F-ALT_USER1> uid=\S* euid=\S* tty=dovecot ruser=<F-USER>\S*</F-USER> rhost=<HOST>(?:\s+user=<F-ALT_USER>\S*</F-ALT_USER>)?\s*$
^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
^pam\(\S+,<HOST>(?:,\S*)?\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\)|Permission denied)\s*$
^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:unknown user|invalid credentials|Password mismatch)
<mdre-<mode>>
mdre-aggressive = ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)(?::(?: [^ \(]+)+)? \((?:no auth attempts|disconnected before auth was ready,|client didn't finish \S+ auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
mdre-normal =
# Parameter `mode` - `normal` or `aggressive`.
# Aggressive mode can be used to match log-entries like:
# 'no auth attempts', 'disconnected before auth was ready', 'client didn't finish SASL auth'.
# Note it may produce lots of false positives on misconfigured MTAs.
# Ex.:
# filter = dovecot[mode=aggressive]
mode = normal
ignoreregex =
journalmatch = _SYSTEMD_UNIT=dovecot.service
datepattern = {^LN-BEG}TAI64N
{^LN-BEG}
# DEV Notes:
# * the first regex is essentially a copy of pam-generic.conf
# * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016)
#
# Author: Martin Waschbuesch
# Daniel Black (rewrote with begin and end anchors)
# Martin O'Neal (added LDAP authentication failure regex)
# Sergey G. Brester aka sebres (reviewed, optimized, IPv6-compatibility)

26
fail2ban/filter.d/dovecot.conf.rpmsave
View File

@@ -1,26 +0,0 @@
# Fail2Ban filter Dovecot authentication and pop3/imap server
#
# based on filter dovecot.conf from fail2ban-0.8.13
[INCLUDES]
before = common.conf
[Definition]
_daemon = (auth|dovecot(-auth)?|auth-worker)
failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
^%(__prefix_line)s(pop3|imap|managesieve)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity|: Too many invalid commands\.)? \(((auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>(, lip=(\d{1,3}\.){3}\d{1,3})?(, TLS( handshaking(: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$
^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
ignoreregex =
# DEV Notes:
# * the first regex is essentially a copy of pam-generic.conf
# * Probably doesn't do dovecot sql/ldap backends properly
# * Removed the 'no auth attempts' log lines from the matches because produces
# lots of false positives on misconfigured MTAs making regexp unuseable
#
# Author: Martin Waschbuesch
# Daniel Black (rewrote with begin and end anchors)

38
fail2ban/filter.d/ignorecommands/apache-fakegooglebot.rpmsave
View File

@@ -1,38 +0,0 @@
#!/usr/bin/env fail2ban-python
# Inspired by https://isc.sans.edu/forums/diary/When+Google+isnt+Google/15968/
#
# Written in Python to reuse built-in Python batteries and not depend on
# presence of host and cut commands
#
import sys
from fail2ban.server.ipdns import DNSUtils, IPAddr
def process_args(argv):
if len(argv) != 2:
raise ValueError("Please provide a single IP as an argument. Got: %s\n"
% (argv[1:]))
ip = argv[1]
if not IPAddr(ip).isValid:
raise ValueError("Argument must be a single valid IP. Got: %s\n"
% ip)
return ip
google_ips = None
def is_googlebot(ip):
import re
host = DNSUtils.ipToName(ip)
if not host or not re.match(r'.*\.google(bot)?\.com$', host):
return False
host_ips = DNSUtils.dnsToIp(host)
return (ip in host_ips)
if __name__ == '__main__': # pragma: no cover
try:
ret = is_googlebot(process_args(sys.argv))
except ValueError as e:
sys.stderr.write(str(e))
sys.exit(2)
sys.exit(0 if ret else 1)

50
fail2ban/filter.d/named-refused.conf.rpmnew
View File

@@ -1,50 +0,0 @@
# Fail2Ban filter file for named (bind9).
#
# This filter blocks attacks against named (bind9) however it requires special
# configuration on bind.
#
# By default, logging is off with bind9 installation.
#
# You will need something like this in your named.conf to provide proper logging.
#
# logging {
# channel security_file {
# file "/var/log/named/security.log" versions 3 size 30m;
# severity dynamic;
# print-time yes;
# };
# category security {
# security_file;
# };
# };
[Definition]
# Daemon name
_daemon=named
# Shortcuts for easier comprehension of the failregex
__pid_re=(?:\[\d+\])
__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
# hostname daemon_id spaces
# this can be optional (for instance if we match named native log files)
__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
prefregex = ^%(__line_prefix)s(?: error:)?\s*client(?: @\S*)? <HOST>#\S+(?: \([\S.]+\))?: <F-CONTENT>.+</F-CONTENT>\s(?:denied|\(NOTAUTH\))\s*$
failregex = ^(?:view (?:internal|external): )?query(?: \(cache\))?
^zone transfer
^bad zone transfer request: '\S+/IN': non-authoritative zone
ignoreregex =
# DEV Notes:
# Trying to generalize the
# structure which is general to capture general patterns in log
# lines to cover different configurations/distributions
#
# Author: Yaroslav Halchenko

52
fail2ban/filter.d/named-refused.conf.rpmsave
View File

@@ -1,52 +0,0 @@
# Fail2Ban filter file for named (bind9).
#
# This filter blocks attacks against named (bind9) however it requires special
# configuration on bind.
#
# By default, logging is off with bind9 installation.
#
# You will need something like this in your named.conf to provide proper logging.
#
# logging {
# channel security_file {
# file "/var/log/named/security.log" versions 3 size 30m;
# severity dynamic;
# print-time yes;
# };
# category security {
# security_file;
# };
# };
[Definition]
# Daemon name
_daemon=named
# Shortcuts for easier comprehension of the failregex
__pid_re=(?:\[\d+\])
__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
# hostname daemon_id spaces
# this can be optional (for instance if we match named native log files)
__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
prefregex = ^%(__line_prefix)s( error:)?\s*client \@\S+ <HOST>#\S+( \([\S.]+\))?: <F-CONTENT>.+</F-CONTENT>$
failregex = ^(view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$
^zone transfer '\S+/AXFR/\w+' denied\s*$
^bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$
ignoreregex =
# DEV Notes:
# Trying to generalize the
# structure which is general to capture general patterns in log
# lines to cover different configurations/distributions
#
# (\.\d+)? is a really ugly catch of the microseconds not captured in the date detector
#
# Author: Yaroslav Halchenko

23
fail2ban/filter.d/nginx-botsearch.conf.rpmsave
View File

@@ -1,23 +0,0 @@
#
# Fail2Ban filter to match web requests for selected URLs that don't exist
#
[INCLUDES]
# Load regexes for filtering
before = botsearch-common.conf
[Definition]
failregex = ^ \[error\] \d+#\d+: \*\d+ (\S+ )?\"\S+\" (failed|is not found) \(2\: No such file or directory\), client\: <HOST>, server\: \S*\, request: \"(GET|POST|HEAD) \/.*\"
ignoreregex =
datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)?
^[^\[]*\[({DATE})
{^LN-BEG}
# DEV Notes:
# Based on apache-botsearch filter
#
# Author: Frantisek Sumsal

39
fail2ban/filter.d/recidive.conf.rpmsave
View File

@@ -1,39 +0,0 @@
# Fail2Ban filter for repeat bans
#
# This filter monitors the fail2ban log file, and enables you to add long
# time bans for ip addresses that get banned by fail2ban multiple times.
#
# Reasons to use this: block very persistent attackers for a longer time,
# stop receiving email notifications about the same attacker over and
# over again.
#
# This jail is only useful if you set the 'findtime' and 'bantime' parameters
# in jail.conf to a higher value than the other jails. Also, this jail has its
# drawbacks, namely in that it works only with iptables, or if you use a
# different blocking mechanism for this jail versus others (e.g. hostsdeny
# for most jails, and shorewall for this one).
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = fail2ban\.actions\s*
# The name of the jail that this filter is used for. In jail.conf, name the
# jail using this filter 'recidive', or change this line!
_jailname = recidive
failregex = ^(%(__prefix_line)s| %(_daemon)s%(__pid_re)s?:\s+)NOTICE\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$
#ignoreregex =
ignoreregex = \[recidive.*\]\s+Ban\s+<HOST>
[Init]
journalmatch = _SYSTEMD_UNIT=fail2ban.service PRIORITY=5
# Author: Tom Hendrikx, modifications by Amir Caspi

132
fail2ban/jail.conf.rpmsave
View File

@@ -1,132 +0,0 @@
# Fail2Ban jail base specification file
#
# HOW TO ACTIVATE JAILS:
#
# YOU SHOULD NOT MODIFY THIS FILE.
#
# It will probably be overwitten or improved in a distribution update.
#
# Provide customizations in a jail.local file or a jail.d/customisation.local.
# For example to change the default bantime for all jails and to enable the
# ssh-iptables jail the following (uncommented) would appear in the .local file.
# See man 5 jail.conf for details.
#
# [DEFAULT]
# bantime = 3600
#
# [ssh-iptables]
# enabled = true
# Comments: use '#' for comment lines and ';' (following a space) for inline comments
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling" and "auto".
# This option can be overridden in each jail as well.
#
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
# If pyinotify is not installed, Fail2ban will use auto.
# gamin: requires Gamin (a file alteration monitor) to be installed.
# If Gamin is not installed, Fail2ban will use auto.
# polling: uses a polling algorithm which does not require external libraries.
# auto: will try to use the following backends, in order:
# pyinotify, gamin, polling.
backend = auto
# "usedns" specifies if jails should trust hostnames in logs,
# warn when DNS lookups are performed, or ignore all hostnames in logs
#
# yes: if a hostname is encountered, a DNS lookup will be performed.
# warn: if a hostname is encountered, a DNS lookup will be performed,
# but it will be logged as a warning.
# no: if a hostname is encountered, will not be used for banning,
# but it will be logged as info.
usedns = no
# This jail corresponds to the standard configuration in Fail2ban.
# The mail-whois action send a notification e-mail with a whois request
# in the body.
[ssh]
enabled = false
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/secure
maxretry = 5
# Jail for more extended banning of persistent abusers
# !!! WARNING !!!
# Make sure that your loglevel specified in fail2ban.conf/.local
# is not at DEBUG level -- which might then cause fail2ban to fall into
# an infinite loop constantly feeding itself with non-informative lines
[recidive]
enabled = false
filter = recidive
logpath = /var/log/fail2ban.log
action = iptables-allports[name=recidive]
bantime = 604800 ; 1 week
findtime = 86400 ; 1 day
maxretry = 5
[named-tcp]
enabled = false
port = domain,953
protocol = tcp
action = iptables-multiport[name=named, port="53,953" protocol=tcp]
filter = named-refused
logpath = /var/named/data/security.log
[named-udp]
enabled = false
port = domain,953
protocol = udp
action = iptables-multiport[name=named, port="53,953" protocol=udp]
filter = named-refused
logpath = /var/named/data/security.log
[vsftpd]
enabled = false
filter = vsftpd
action = iptables[name=VSFTPD, port=ftp, protocol=tcp]
logpath = /var/log/vsftpd.log
maxretry = 3
[ngx-botsearch]
enabled = false
filter = nginx-botsearch
action = iptables-multiport[name=ngxbotsearch, port="http,https", protocol=tcp]
logpath = /var/log/nginx/*.error.log
maxretry = 10
[php-url-fopen]
enabled = false
protocol = tcp
filter = php-url-fopen
action = iptables-multiport[name=php-url-fopen, port"http,https", protocol=tcp]
logpath = /var/log/nginx/*.access.log
maxretry = 3

204
freshclam.conf.rpmnew
View File

@@ -1,204 +0,0 @@
##
## Example config file for freshclam
## Please read the freshclam.conf(5) manual before editing this file.
##
# Comment or remove the line below.
#Example
# Path to the database directory.
# WARNING: It must match clamd.conf's directive!
# Default: hardcoded (depends on installation options)
#DatabaseDirectory /var/lib/clamav
# Path to the log file (make sure it has proper permissions)
# Default: disabled
#UpdateLogFile /var/log/freshclam.log
# Maximum size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes).
# in bytes just don't use modifiers. If LogFileMaxSize is enabled,
# log rotation (the LogRotate option) will always be enabled.
# Default: 1M
#LogFileMaxSize 2M
# Log time with each message.
# Default: no
#LogTime yes
# Enable verbose logging.
# Default: no
#LogVerbose yes
# Use system logger (can work together with UpdateLogFile).
# Default: no
#LogSyslog yes
# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL
# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
# Default: no
#LogRotate yes
# This option allows you to save the process identifier of the daemon
# This file will be owned by root, as long as freshclam was started by root.
# It is recommended that the directory where this file is stored is
# also owned by root to keep other users from tampering with it.
# Default: disabled
#PidFile /var/run/freshclam.pid
# By default when started freshclam drops privileges and switches to the
# "clamav" user. This directive allows you to change the database owner.
# Default: clamav (may depend on installation options)
#DatabaseOwner clamupdate
# Use DNS to verify virus database version. FreshClam uses DNS TXT records
# to verify database and software versions. With this directive you can change
# the database verification domain.
# WARNING: Do not touch it unless you're configuring freshclam to use your
# own database verification domain.
# Default: current.cvd.clamav.net
#DNSDatabaseInfo current.cvd.clamav.net
# database.clamav.net is now the primary domain name to be used world-wide.
# Now that CloudFlare is being used as our Content Delivery Network (CDN),
# this one domain name works world-wide to direct freshclam to the closest
# geographic endpoint.
# If the old db.XY.clamav.net domains are set, freshclam will automatically
# use database.clamav.net instead.
DatabaseMirror database.clamav.net
# How many attempts to make before giving up.
# Default: 3 (per mirror)
#MaxAttempts 5
# With this option you can control scripted updates. It's highly recommended
# to keep it enabled.
# Default: yes
#ScriptedUpdates yes
# By default freshclam will keep the local databases (.cld) uncompressed to
# make their handling faster. With this option you can enable the compression;
# the change will take effect with the next database update.
# Default: no
#CompressLocalDatabase no
# With this option you can provide custom sources for database files.
# This option can be used multiple times. Support for:
# http(s)://, ftp(s)://, or file://
# Default: no custom URLs
#DatabaseCustomURL http://myserver.example.com/mysigs.ndb
#DatabaseCustomURL https://myserver.example.com/mysigs.ndb
#DatabaseCustomURL https://myserver.example.com:4567/whitelist.wdb
#DatabaseCustomURL ftp://myserver.example.com/example.ldb
#DatabaseCustomURL ftps://myserver.example.com:4567/example.ndb
#DatabaseCustomURL file:///mnt/nfs/local.hdb
# This option allows you to easily point freshclam to private mirrors.
# If PrivateMirror is set, freshclam does not attempt to use DNS
# to determine whether its databases are out-of-date, instead it will
# use the If-Modified-Since request or directly check the headers of the
# remote database files. For each database, freshclam first attempts
# to download the CLD file. If that fails, it tries to download the
# CVD file. This option overrides DatabaseMirror, DNSDatabaseInfo
# and ScriptedUpdates. It can be used multiple times to provide
# fall-back mirrors.
# Default: disabled
#PrivateMirror mirror1.example.com
#PrivateMirror mirror2.example.com
# Number of database checks per day.
# Default: 12 (every two hours)
#Checks 24
# Proxy settings
# The HTTPProxyServer may be prefixed with [scheme]:// to specify which kind
# of proxy is used.
# http:// HTTP Proxy. Default when no scheme or proxy type is specified.
# https:// HTTPS Proxy. (Added in 7.52.0 for OpenSSL, GnuTLS and NSS)
# socks4:// SOCKS4 Proxy.
# socks4a:// SOCKS4a Proxy. Proxy resolves URL hostname.
# socks5:// SOCKS5 Proxy.
# socks5h:// SOCKS5 Proxy. Proxy resolves URL hostname.
# Default: disabled
#HTTPProxyServer https://proxy.example.com
#HTTPProxyPort 1234
#HTTPProxyUsername myusername
#HTTPProxyPassword mypass
# If your servers are behind a firewall/proxy which applies User-Agent
# filtering you can use this option to force the use of a different
# User-Agent header.
# As of ClamAV 0.103.3, this setting may not be used when updating from the
# clamav.net CDN and can only be used when updating from a private mirror.
# Default: clamav/version_number (OS: ..., ARCH: ..., CPU: ..., UUID: ...)
#HTTPUserAgent SomeUserAgentIdString
# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for
# multi-homed systems.
# Default: Use OS'es default outgoing IP address.
#LocalIPAddress aaa.bbb.ccc.ddd
# Send the RELOAD command to clamd.
# Default: no
#NotifyClamd /path/to/clamd.conf
# Run command after successful database update.
# Use EXIT_1 to return 1 after successful database update.
# Default: disabled
#OnUpdateExecute command
# Run command when database update process fails.
# Default: disabled
#OnErrorExecute command
# Run command when freshclam reports outdated version.
# In the command string %v will be replaced by the new version number.
# Default: disabled
#OnOutdatedExecute command
# Don't fork into background.
# Default: no
#Foreground yes
# Enable debug messages in libclamav.
# Default: no
#Debug yes
# Timeout in seconds when connecting to database server.
# Default: 30
#ConnectTimeout 60
# Maximum time in seconds for each download operation. 0 means no timeout.
# Default: 0
#ReceiveTimeout 1800
# With this option enabled, freshclam will attempt to load new databases into
# memory to make sure they are properly handled by libclamav before replacing
# the old ones.
# Tip: This feature uses a lot of RAM. If your system has limited RAM and you
# are actively running ClamD or ClamScan during the update, then you may need
# to set `TestDatabases no`.
# Default: yes
#TestDatabases no
# This option enables downloading of bytecode.cvd, which includes additional
# detection mechanisms and improvements to the ClamAV engine.
# Default: yes
#Bytecode no
# Include an optional signature databases (opt-in).
# This option can be used multiple times.
#ExtraDatabase dbname1
#ExtraDatabase dbname2
# Exclude a standard signature database (opt-out).
# This option can be used multiple times.
#ExcludeDatabase dbname1
#ExcludeDatabase dbname2

211
freshclam.conf.rpmsave
View File

@@ -1,211 +0,0 @@
##
## Example config file for freshclam
## Please read the freshclam.conf(5) manual before editing this file.
##
# Comment or remove the line below.
#Example
# Path to the database directory.
# WARNING: It must match clamd.conf's directive!
# Default: hardcoded (depends on installation options)
DatabaseDirectory /var/lib/clamav
# Path to the log file (make sure it has proper permissions)
# Default: disabled
UpdateLogFile /var/log/freshclam.log
# Maximum size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes).
# in bytes just don't use modifiers. If LogFileMaxSize is enabled,
# log rotation (the LogRotate option) will always be enabled.
# Default: 1M
#LogFileMaxSize 2M
# Log time with each message.
# Default: no
LogTime yes
# Enable verbose logging.
# Default: no
#LogVerbose yes
# Use system logger (can work together with UpdateLogFile).
# Default: no
LogSyslog yes
# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL
# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
# Default: no
LogRotate yes
# This option allows you to save the process identifier of the daemon
# Default: disabled
PidFile /var/run/freshclam.pid
# By default when started freshclam drops privileges and switches to the
# "clamav" user. This directive allows you to change the database owner.
# Default: clamav (may depend on installation options)
DatabaseOwner amavis
# Use DNS to verify virus database version. Freshclam uses DNS TXT records
# to verify database and software versions. With this directive you can change
# the database verification domain.
# WARNING: Do not touch it unless you're configuring freshclam to use your
# own database verification domain.
# Default: current.cvd.clamav.net
#DNSDatabaseInfo current.cvd.clamav.net
# database.clamav.net is now the primary domain name to be used world-wide.
# Now that CloudFlare is being used as our Content Delivery Network (CDN),
# this one domain name works world-wide to direct freshclam to the closest
# geographic endpoint.
# If the old db.XY.clamav.net domains are set, freshclam will automatically
# use database.clamav.net instead.
DatabaseMirror db.local.clamav.net
DatabaseMirror db.local.clamav.net
# How many attempts to make before giving up.
# Default: 3 (per mirror)
#MaxAttempts 5
# With this option you can control scripted updates. It's highly recommended
# to keep it enabled.
# Default: yes
ScriptedUpdates yes
# By default freshclam will keep the local databases (.cld) uncompressed to
# make their handling faster. With this option you can enable the compression;
# the change will take effect with the next database update.
# Default: no
#CompressLocalDatabase no
# With this option you can provide custom sources for database files.
# This option can be used multiple times. Support for:
# http(s)://, ftp(s)://, or file://
# Default: no custom URLs
#DatabaseCustomURL http://myserver.example.com/mysigs.ndb
#DatabaseCustomURL https://myserver.example.com/mysigs.ndb
#DatabaseCustomURL https://myserver.example.com:4567/whitelist.wdb
#DatabaseCustomURL ftp://myserver.example.com/example.ldb
#DatabaseCustomURL ftps://myserver.example.com:4567/example.ndb
#DatabaseCustomURL file:///mnt/nfs/local.hdb
# This option allows you to easily point freshclam to private mirrors.
# If PrivateMirror is set, freshclam does not attempt to use DNS
# to determine whether its databases are out-of-date, instead it will
# use the If-Modified-Since request or directly check the headers of the
# remote database files. For each database, freshclam first attempts
# to download the CLD file. If that fails, it tries to download the
# CVD file. This option overrides DatabaseMirror, DNSDatabaseInfo
# and ScriptedUpdates. It can be used multiple times to provide
# fall-back mirrors.
# Default: disabled
#PrivateMirror mirror1.example.com
#PrivateMirror mirror2.example.com
# Number of database checks per day.
# Default: 12 (every two hours)
#Checks 24
# Proxy settings
# The HTTPProxyServer may be prefixed with [scheme]:// to specify which kind
# of proxy is used.
# http:// HTTP Proxy. Default when no scheme or proxy type is specified.
# https:// HTTPS Proxy. (Added in 7.52.0 for OpenSSL, GnuTLS and NSS)
# socks4:// SOCKS4 Proxy.
# socks4a:// SOCKS4a Proxy. Proxy resolves URL hostname.
# socks5:// SOCKS5 Proxy.
# socks5h:// SOCKS5 Proxy. Proxy resolves URL hostname.
# Default: disabled
#HTTPProxyServer https://proxy.example.com
#HTTPProxyPort 1234
#HTTPProxyUsername myusername
#HTTPProxyPassword mypass
# If your servers are behind a firewall/proxy which applies User-Agent
# filtering you can use this option to force the use of a different
# User-Agent header.
# Default: clamav/version_number
#HTTPUserAgent SomeUserAgentIdString
# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for
# multi-homed systems.
# Default: Use OS'es default outgoing IP address.
#LocalIPAddress aaa.bbb.ccc.ddd
# Send the RELOAD command to clamd.
# Default: no
#NotifyClamd /path/to/clamd.conf
# Run command after successful database update.
# Default: disabled
#OnUpdateExecute command
# Run command when database update process fails.
# Default: disabled
#OnErrorExecute command
# Run command when freshclam reports outdated version.
# In the command string %v will be replaced by the new version number.
# Default: disabled
#OnOutdatedExecute command
# Don't fork into background.
# Default: no
#Foreground yes
# Enable debug messages in libclamav.
# Default: no
#Debug yes
# Timeout in seconds when connecting to database server.
# Default: 30
#ConnectTimeout 60
# Timeout in seconds when reading from database server.
# Default: 0
#ReceiveTimeout 1800
# With this option enabled, freshclam will attempt to load new
# databases into memory to make sure they are properly handled
# by libclamav before replacing the old ones.
# Default: yes
#TestDatabases yes
# This option enables support for Google Safe Browsing. When activated for
# the first time, freshclam will download a new database file
# (safebrowsing.cvd) which will be automatically loaded by clamd and
# clamscan during the next reload, provided that the heuristic phishing
# detection is turned on. This database includes information about websites
# that may be phishing sites or possible sources of malware. When using this
# option, it's mandatory to run freshclam at least every 30 minutes.
# Freshclam uses the ClamAV's mirror infrastructure to distribute the
# database and its updates but all the contents are provided under Google's
# terms of use.
# See https://transparencyreport.google.com/safe-browsing/overview
# and https://www.clamav.net/documents/safebrowsing for more information.
# Default: no
#SafeBrowsing yes
# This option enables downloading of bytecode.cvd, which includes additional
# detection mechanisms and improvements to the ClamAV engine.
# Default: yes
#Bytecode no
# Include an optional signature databases (opt-in).
# This option can be used multiple times.
#ExtraDatabase dbname1
#ExtraDatabase dbname2
# Exclude a standard signature database (opt-out).
# This option can be used multiple times.
#ExcludeDatabase dbname1
#ExcludeDatabase dbname2

42
httpd/conf.d/awstats.conf.rpmsave
View File

@@ -1,42 +0,0 @@
#
# Content of this file, with correct values, can be automatically added to
# your Apache server by using the AWStats configure.pl tool.
#
# If using Windows and Perl ActiveStat, this is to enable Perl script as CGI.
#ScriptInterpreterSource registry
#
# Directives to add to your Apache conf file to allow use of AWStats as a CGI.
# Note that path "/usr/share/awstats/" must reflect your AWStats install path.
#
Alias /awstatsclasses "/usr/share/awstats/wwwroot/classes/"
Alias /awstatscss "/usr/share/awstats/wwwroot/css/"
Alias /awstatsicons "/usr/share/awstats/wwwroot/icon/"
ScriptAlias /awstats/ "/usr/share/awstats/wwwroot/cgi-bin/"
#
# This is to permit URL access to scripts/files in AWStats directory.
#
<Directory "/usr/share/awstats/wwwroot">
Options None
AllowOverride None
<IfModule mod_authz_core.c>
# Apache 2.4
Require all granted
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order allow,deny
Allow from 127.0.0.1
Allow from ::1
</IfModule>
</Directory>
# Additional Perl modules
<IfModule mod_env.c>
SetEnv PERL5LIB /usr/share/awstats/lib:/usr/share/awstats/plugins
</IfModule>

46
httpd/conf.d/perl.conf.rpmnew
View File

@@ -1,46 +0,0 @@
#
# Mod_perl incorporates a Perl interpreter into the Apache web server,
# so that the Apache web server can directly execute Perl code.
# Mod_perl links the Perl runtime library into the Apache web server
# and provides an object-oriented Perl interface for Apache's C
# language API. The end result is a quicker CGI script turnaround
# process, since no external Perl interpreter has to be started.
#
# Uncomment this line to globally enable warnings, which will be
# written to the server's error log. Warnings should be enabled
# during the development process, but should be disabled on a
# production server as they affect performance.
#
#PerlSwitches -w
# Uncomment this line to enable taint checking globally. When Perl is
# running in taint mode various checks are performed to reduce the
# risk of insecure data being passed to a subshell or being used to
# modify the filesystem. Unfortunately many Perl modules are not
# taint-safe, so you should exercise care before enabling it on a
# production server.
#
#PerlSwitches -T
# This will allow execution of mod_perl to compile your scripts to
# subroutines which it will execute directly, avoiding the costly
# compile process for most requests.
#
#Alias /perl /var/www/perl
#<Directory /var/www/perl>
# SetHandler perl-script
# PerlResponseHandler ModPerl::Registry
# PerlOptions +ParseHeaders
# Options +ExecCGI
#</Directory>
# This will allow remote server configuration reports, with the URL of
# http://servername/perl-status
# Change the ".example.com" to match your domain to enable.
#
#<Location /perl-status>
# SetHandler perl-script
# PerlResponseHandler Apache2::Status
# Require host .example.com
#</Location>

19
httpd/conf.d/welcome.conf.rpmnew
View File

@@ -1,19 +0,0 @@
#
# This configuration file enables the default "Welcome" page if there
# is no default index page present for the root URL. To disable the
# Welcome page, comment out all the lines below.
#
# NOTE: if this file is removed, it will be restored on upgrades.
#
<LocationMatch "^/+$">
Options -Indexes
ErrorDocument 403 /.noindex.html
</LocationMatch>
<Directory /usr/share/httpd/noindex>
AllowOverride None
Require all granted
</Directory>
Alias /.noindex.html /usr/share/httpd/noindex/index.html
Alias /poweredby.png /usr/share/httpd/icons/apache_pb3.png

12
httpd/conf.modules.d/15-php.conf.rpmnew
View File

@@ -1,12 +0,0 @@
#
# PHP is an HTML-embedded scripting language which attempts to make it
# easy for developers to write dynamically generated webpages.
#
# Cannot load both php5 and php7 modules
<IfModule !mod_php5.c>
<IfModule prefork.c>
LoadModule php7_module modules/libphp7.so
</IfModule>
</IfModule>

1239
imunify360-webshield/common-proxies.conf.rpmsave
View File

File diff suppressed because it is too large Load Diff

678346
imunify360-webshield/country_ips.conf.rpmsave
View File

File diff suppressed because it is too large Load Diff

1
imunify360-webshield/splashscreen-antibot.conf.rpmsave
View File

@@ -1 +0,0 @@
splashscreen_antibot on;

13
issue.net.rpmsave
View File

@@ -1,13 +0,0 @@
*********************************************************************
* *
* This system is for the use of authorized users only. Usage of *
* this system may be monitored and recorded by system personnel. *
* *
* Anyone using this system expressly consents to such monitoring *
* and is advised that if such monitoring reveals possible *
* evidence of criminal activity, system personnel may provide the *
* evidence from such monitoring to law enforcement officials. *
* *
*********************************************************************

3
issue.rpmnew
View File

@@ -1,3 +0,0 @@
\S
Kernel \r on an \m

13
issue.rpmsave
View File

@@ -1,13 +0,0 @@
*********************************************************************
* *
* This system is for the use of authorized users only. Usage of *
* this system may be monitored and recorded by system personnel. *
* *
* Anyone using this system expressly consents to such monitoring *
* and is advised that if such monitoring reveals possible *
* evidence of criminal activity, system personnel may provide the *
* evidence from such monitoring to law enforcement officials. *
* *
*********************************************************************

17
logrotate.d/fail2ban.rpmsave
View File

@@ -1,17 +0,0 @@
#
# Gentoo:
# http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-analyzer/fail2ban/files/fail2ban-logrotate?view=markup
#
# Debian:
# https://github.com/fail2ban/fail2ban/blob/debian/debian/fail2ban.logrotate
/var/log/fail2ban.log {
missingok
notifempty
dateext
daily
rotate 14
postrotate
/usr/bin/fail2ban-client flushlogs >/dev/null || true
endscript
}

25
mail/spamassassin/init.pre.rpmnew
View File

@@ -1,25 +0,0 @@
# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
# This file contains plugin activation commands for plugins included
# in SpamAssassin 3.0.x releases. It will not be installed if you
# already have a file in place called "init.pre".
#
# There are now multiple files read to enable plugins in the
# /etc/mail/spamassassin directory; previously only one, "init.pre" was
# read. Now both "init.pre", "v310.pre", and any other files ending in
# ".pre" will be read. As future releases are made, new plugins will be
# added to new files, named according to the release they're added in.
###########################################################################
# URIDNSBL - look up URLs found in the message against several DNS
# blocklists.
#
loadplugin Mail::SpamAssassin::Plugin::URIDNSBL
# SPF - perform SPF verification.
#
loadplugin Mail::SpamAssassin::Plugin::SPF

371
nagios/nrpe.cfg.rpmnew
View File

@@ -1,371 +0,0 @@
#############################################################################
#
# Sample NRPE Config File
#
# Notes:
#
# This is a sample configuration file for the NRPE daemon. It needs to be
# located on the remote host that is running the NRPE daemon, not the host
# from which the check_nrpe client is being executed.
#
#############################################################################
# LOG FACILITY
# The syslog facility that should be used for logging purposes.
log_facility=daemon
# LOG FILE
# If a log file is specified in this option, nrpe will write to
# that file instead of using syslog.
#log_file=/var/run/nrpe.log
# DEBUGGING OPTION
# This option determines whether or not debugging messages are logged to the
# syslog facility.
# Values: 0=debugging off, 1=debugging on
debug=0
# PID FILE
# The name of the file in which the NRPE daemon should write it's process ID
# number. The file is only written if the NRPE daemon is started by the root
# user and is running in standalone mode.
pid_file=/run/nrpe/nrpe.pid
# PORT NUMBER
# Port number we should wait for connections on.
# NOTE: This must be a non-privileged port (i.e. > 1024).
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
server_port=5666
# SERVER ADDRESS
# Address that nrpe should bind to in case there are more than one interface
# and you do not want nrpe to bind on all interfaces.
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
#server_address=127.0.0.1
# LISTEN QUEUE SIZE
# Listen queue size (backlog) for serving incoming connections.
# You may want to increase this value under high load.
#listen_queue_size=5
# NRPE USER
# This determines the effective user that the NRPE daemon should run as.
# You can either supply a username or a UID.
#
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
nrpe_user=nrpe
# NRPE GROUP
# This determines the effective group that the NRPE daemon should run as.
# You can either supply a group name or a GID.
#
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
nrpe_group=nrpe
# ALLOWED HOST ADDRESSES
# This is an optional comma-delimited list of IP address or hostnames
# that are allowed to talk to the NRPE daemon. Network addresses with a bit mask
# (i.e. 192.168.1.0/24) are also supported. Hostname wildcards are not currently
# supported.
#
# Note: The daemon only does rudimentary checking of the client's IP
# address. I would highly recommend adding entries in your /etc/hosts.allow
# file to allow only the specified host to connect to the port
# you are running this daemon on.
#
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd
allowed_hosts=127.0.0.1,::1
# COMMAND ARGUMENT PROCESSING
# This option determines whether or not the NRPE daemon will allow clients
# to specify arguments to commands that are executed. This option only works
# if the daemon was configured with the --enable-command-args configure script
# option.
#
# *** ENABLING THIS OPTION IS A SECURITY RISK! ***
# Read the SECURITY file for information on some of the security implications
# of enabling this variable.
#
# Values: 0=do not allow arguments, 1=allow command arguments
dont_blame_nrpe=0
# BASH COMMAND SUBSTITUTION
# This option determines whether or not the NRPE daemon will allow clients
# to specify arguments that contain bash command substitutions of the form
# $(...). This option only works if the daemon was configured with both
# the --enable-command-args and --enable-bash-command-substitution configure
# script options.
#
# *** ENABLING THIS OPTION IS A HIGH SECURITY RISK! ***
# Read the SECURITY file for information on some of the security implications
# of enabling this variable.
#
# Values: 0=do not allow bash command substitutions,
# 1=allow bash command substitutions
allow_bash_command_substitution=0
# COMMAND PREFIX
# This option allows you to prefix all commands with a user-defined string.
# A space is automatically added between the specified prefix string and the
# command line from the command definition.
#
# *** THIS EXAMPLE MAY POSE A POTENTIAL SECURITY RISK, SO USE WITH CAUTION! ***
# Usage scenario:
# Execute restricted commmands using sudo. For this to work, you need to add
# the nagios user to your /etc/sudoers. An example entry for allowing
# execution of the plugins from might be:
#
# nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/
#
# This lets the nagios user run all commands in that directory (and only them)
# without asking for a password. If you do this, make sure you don't give
# random users write access to that directory or its contents!
# command_prefix=/usr/bin/sudo
# MAX COMMANDS
# This specifies how many children processes may be spawned at any one
# time, essentially limiting the fork()s that occur.
# Default (0) is set to unlimited
# max_commands=0
# COMMAND TIMEOUT
# This specifies the maximum number of seconds that the NRPE daemon will
# allow plugins to finish executing before killing them off.
command_timeout=60
# CONNECTION TIMEOUT
# This specifies the maximum number of seconds that the NRPE daemon will
# wait for a connection to be established before exiting. This is sometimes
# seen where a network problem stops the SSL being established even though
# all network sessions are connected. This causes the nrpe daemons to
# accumulate, eating system resources. Do not set this too low.
connection_timeout=300
# WEAK RANDOM SEED OPTION
# This directive allows you to use SSL even if your system does not have
# a /dev/random or /dev/urandom (on purpose or because the necessary patches
# were not applied). The random number generator will be seeded from a file
# which is either a file pointed to by the environment valiable $RANDFILE
# or $HOME/.rnd. If neither exists, the pseudo random number generator will
# be initialized and a warning will be issued.
# Values: 0=only seed from /dev/[u]random, 1=also seed from weak randomness
#allow_weak_random_seed=1
# SSL/TLS OPTIONS
# These directives allow you to specify how to use SSL/TLS.
# SSL VERSION
# This can be any of: SSLv2 (only use SSLv2), SSLv2+ (use any version),
# SSLv3 (only use SSLv3), SSLv3+ (use SSLv3 or above), TLSv1 (only use
# TLSv1), TLSv1+ (use TLSv1 or above), TLSv1.1 (only use TLSv1.1),
# TLSv1.1+ (use TLSv1.1 or above), TLSv1.2 (only use TLSv1.2),
# TLSv1.2+ (use TLSv1.2 or above)
# If an "or above" version is used, the best will be negotiated. So if both
# ends are able to do TLSv1.2 and use specify SSLv2, you will get TLSv1.2.
# If you are using openssl 1.1.0 or above, the SSLv2 options are not available.
#ssl_version=SSLv2+
# SSL USE ADH
# This is for backward compatibility and is DEPRECATED. Set to 1 to enable
# ADH or 2 to require ADH. 1 is currently the default but will be changed
# in a later version.
#ssl_use_adh=1
# SSL CIPHER LIST
# This lists which ciphers can be used. For backward compatibility, this
# defaults to 'ssl_cipher_list=ALL:!MD5:@STRENGTH' for < OpenSSL 1.1.0,
# and 'ssl_cipher_list=ALL:!MD5:@STRENGTH:@SECLEVEL=0' for OpenSSL 1.1.0 and
# greater.
#ssl_cipher_list=ALL:!MD5:@STRENGTH
#ssl_cipher_list=ALL:!MD5:@STRENGTH:@SECLEVEL=0
#ssl_cipher_list=ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH
# SSL Certificate and Private Key Files
#ssl_cacert_file=/etc/ssl/servercerts/ca-cert.pem
#ssl_cert_file=/etc/ssl/servercerts/nagios-cert.pem
#ssl_privatekey_file=/etc/ssl/servercerts/nagios-key.pem
# SSL USE CLIENT CERTS
# This options determines client certificate usage.
# Values: 0 = Don't ask for or require client certificates (default)
# 1 = Ask for client certificates
# 2 = Require client certificates
#ssl_client_certs=0
# SSL LOGGING
# This option determines which SSL messages are send to syslog. OR values
# together to specify multiple options.
# Values: 0x00 (0) = No additional logging (default)
# 0x01 (1) = Log startup SSL/TLS parameters
# 0x02 (2) = Log remote IP address
# 0x04 (4) = Log SSL/TLS version of connections
# 0x08 (8) = Log which cipher is being used for the connection
# 0x10 (16) = Log if client has a certificate
# 0x20 (32) = Log details of client's certificate if it has one
# -1 or 0xff or 0x2f = All of the above
#ssl_logging=0x00
# NASTY METACHARACTERS
# This option allows you to override the list of characters that cannot
# be passed to the NRPE daemon.
# nasty_metachars=|`&><'\\[]{};\r\n
# This option allows you to enable or disable logging error messages to the syslog facilities.
# If this option is not set, the error messages will be logged.
disable_syslog=0
# COMMAND DEFINITIONS
# Command definitions that this daemon will run. Definitions
# are in the following format:
#
# command[<command_name>]=<command_line>
#
# When the daemon receives a request to return the results of <command_name>
# it will execute the command specified by the <command_line> argument.
#
# Unlike Nagios, the command line cannot contain macros - it must be
# typed exactly as it should be executed.
#
# Note: Any plugins that are used in the command lines must reside
# on the machine that this daemon is running on! The examples below
# assume that you have plugins installed in a /usr/local/nagios/libexec
# directory. Also note that you will have to modify the definitions below
# to match the argument format the plugins expect. Remember, these are
# examples only!
# The following examples use hardcoded command arguments...
# This is by far the most secure method of using NRPE
command[check_users]=/usr/lib64/nagios/plugins/check_users -w 5 -c 10
command[check_load]=/usr/lib64/nagios/plugins/check_load -r -w .15,.10,.05 -c .30,.25,.20
command[check_hda1]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /dev/hda1
command[check_zombie_procs]=/usr/lib64/nagios/plugins/check_procs -w 5 -c 10 -s Z
command[check_total_procs]=/usr/lib64/nagios/plugins/check_procs -w 150 -c 200
# The following examples allow user-supplied arguments and can
# only be used if the NRPE daemon was compiled with support for
# command arguments *AND* the dont_blame_nrpe directive in this
# config file is set to '1'. This poses a potential security risk, so
# make sure you read the SECURITY file before doing this.
### MISC SYSTEM METRICS ###
#command[check_users]=/usr/lib64/nagios/plugins/check_users $ARG1$
#command[check_load]=/usr/lib64/nagios/plugins/check_load $ARG1$
#command[check_disk]=/usr/lib64/nagios/plugins/check_disk $ARG1$
#command[check_swap]=/usr/lib64/nagios/plugins/check_swap $ARG1$
#command[check_cpu_stats]=/usr/lib64/nagios/plugins/check_cpu_stats.sh $ARG1$
#command[check_mem]=/usr/lib64/nagios/plugins/custom_check_mem -n $ARG1$
### GENERIC SERVICES ###
#command[check_init_service]=sudo /usr/lib64/nagios/plugins/check_init_service $ARG1$
#command[check_services]=/usr/lib64/nagios/plugins/check_services -p $ARG1$
### SYSTEM UPDATES ###
#command[check_yum]=/usr/lib64/nagios/plugins/check_yum
#command[check_apt]=/usr/lib64/nagios/plugins/check_apt
### PROCESSES ###
#command[check_all_procs]=/usr/lib64/nagios/plugins/custom_check_procs
#command[check_procs]=/usr/lib64/nagios/plugins/check_procs $ARG1$
### OPEN FILES ###
#command[check_open_files]=/usr/lib64/nagios/plugins/check_open_files.pl $ARG1$
### NETWORK CONNECTIONS ###
#command[check_netstat]=/usr/lib64/nagios/plugins/check_netstat.pl -p $ARG1$ $ARG2$
### ASTERISK ###
#command[check_asterisk]=/usr/lib64/nagios/plugins/check_asterisk.pl $ARG1$
#command[check_sip]=/usr/lib64/nagios/plugins/check_sip $ARG1$
#command[check_asterisk_sip_peers]=sudo /usr/lib64/nagios/plugins/check_asterisk_sip_peers.sh $ARG1$
#command[check_asterisk_version]=/usr/lib64/nagios/plugins/nagisk.pl -c version
#command[check_asterisk_peers]=/usr/lib64/nagios/plugins/nagisk.pl -c peers
#command[check_asterisk_channels]=/usr/lib64/nagios/plugins/nagisk.pl -c channels
#command[check_asterisk_zaptel]=/usr/lib64/nagios/plugins/nagisk.pl -c zaptel
#command[check_asterisk_span]=/usr/lib64/nagios/plugins/nagisk.pl -c span -s 1
# INCLUDE CONFIG FILE
# This directive allows you to include definitions from an external config file.
#include=<somefile.cfg>
# INCLUDE CONFIG DIRECTORY
# This directive allows you to include definitions from config files (with a
# .cfg extension) in one or more directories (with recursion).
#include_dir=<somedirectory>
#include_dir=<someotherdirectory>
include_dir=/etc/nrpe.d/
# KEEP ENVIRONMENT VARIABLES
# This directive allows you to retain specific variables from the environment
# when starting the NRPE daemon.
#keep_env_vars=NRPE_MULTILINESUPPORT,NRPE_PROGRAMVERSION

44
nginx/conf.d/default.conf.rpmnew
View File

@@ -1,44 +0,0 @@
server {
listen 80;
server_name localhost;
#access_log /var/log/nginx/host.access.log main;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}

484
postfix/access.rpmnew
View File

@@ -1,484 +0,0 @@
# ACCESS(5) ACCESS(5)
#
# NAME
# access - Postfix SMTP server access table
#
# SYNOPSIS
# postmap /etc/postfix/access
#
# postmap -q "string" /etc/postfix/access
#
# postmap -q - /etc/postfix/access <inputfile
#
# DESCRIPTION
# This document describes access control on remote SMTP
# client information: host names, network addresses, and
# envelope sender or recipient addresses; it is implemented
# by the Postfix SMTP server. See header_checks(5) or
# body_checks(5) for access control on the content of email
# messages.
#
# Normally, the access(5) table is specified as a text file
# that serves as input to the postmap(1) command. The
# result, an indexed file in dbm or db format, is used for
# fast searching by the mail system. Execute the command
# "postmap /etc/postfix/access" to rebuild an indexed file
# after changing the corresponding text file.
#
# When the table is provided via other means such as NIS,
# LDAP or SQL, the same lookups are done as for ordinary
# indexed files.
#
# Alternatively, the table can be provided as a regu-
# lar-expression map where patterns are given as regular
# expressions, or lookups can be directed to TCP-based
# server. In those cases, the lookups are done in a slightly
# different way as described below under "REGULAR EXPRESSION
# TABLES" or "TCP-BASED TABLES".
#
# CASE FOLDING
# The search string is folded to lowercase before database
# lookup. As of Postfix 2.3, the search string is not case
# folded with database types such as regexp: or pcre: whose
# lookup fields can match both upper and lower case.
#
# TABLE FORMAT
# The input format for the postmap(1) command is as follows:
#
# pattern action
# When pattern matches a mail address, domain or host
# address, perform the corresponding action.
#
# blank lines and comments
# Empty lines and whitespace-only lines are ignored,
# as are lines whose first non-whitespace character
# is a `#'.
#
# multi-line text
# A logical line starts with non-whitespace text. A
# line that starts with whitespace continues a logi-
# cal line.
#
# EMAIL ADDRESS PATTERNS
# With lookups from indexed files such as DB or DBM, or from
# networked tables such as NIS, LDAP or SQL, patterns are
# tried in the order as listed below:
#
# user@domain
# Matches the specified mail address.
#
# domain.tld
# Matches domain.tld as the domain part of an email
# address.
#
# The pattern domain.tld also matches subdomains, but
# only when the string smtpd_access_maps is listed in
# the Postfix parent_domain_matches_subdomains con-
# figuration setting.
#
# .domain.tld
# Matches subdomains of domain.tld, but only when the
# string smtpd_access_maps is not listed in the Post-
# fix parent_domain_matches_subdomains configuration
# setting.
#
# user@ Matches all mail addresses with the specified user
# part.
#
# Note: lookup of the null sender address is not possible
# with some types of lookup table. By default, Postfix uses
# <> as the lookup key for such addresses. The value is
# specified with the smtpd_null_access_lookup_key parameter
# in the Postfix main.cf file.
#
# EMAIL ADDRESS EXTENSION
# When a mail address localpart contains the optional recip-
# ient delimiter (e.g., user+foo@domain), the lookup order
# becomes: user+foo@domain, user@domain, domain, user+foo@,
# and user@.
#
# HOST NAME/ADDRESS PATTERNS
# With lookups from indexed files such as DB or DBM, or from
# networked tables such as NIS, LDAP or SQL, the following
# lookup patterns are examined in the order as listed:
#
# domain.tld
# Matches domain.tld.
#
# The pattern domain.tld also matches subdomains, but
# only when the string smtpd_access_maps is listed in
# the Postfix parent_domain_matches_subdomains con-
# figuration setting.
#
# .domain.tld
# Matches subdomains of domain.tld, but only when the
# string smtpd_access_maps is not listed in the Post-
# fix parent_domain_matches_subdomains configuration
# setting.
#
# net.work.addr.ess
#
# net.work.addr
#
# net.work
#
# net Matches a remote IPv4 host address or network
# address range. Specify one to four decimal octets
# separated by ".". Do not specify "[]" , "/", lead-
# ing zeros, or hexadecimal forms.
#
# Network ranges are matched by repeatedly truncating
# the last ".octet" from a remote IPv4 host address
# string, until a match is found in the access table,
# or until further truncation is not possible.
#
# NOTE: use the cidr lookup table type to specify
# network/netmask patterns. See cidr_table(5) for
# details.
#
# net:work:addr:ess
#
# net:work:addr
#
# net:work
#
# net Matches a remote IPv6 host address or network
# address range. Specify three to eight hexadecimal
# octet pairs separated by ":", using the compressed
# form "::" for a sequence of zero-valued octet
# pairs. Do not specify "[]", "/", leading zeros, or
# non-compressed forms.
#
# A network range is matched by repeatedly truncating
# the last ":octetpair" from the compressed-form
# remote IPv6 host address string, until a match is
# found in the access table, or until further trunca-
# tion is not possible.
#
# NOTE: use the cidr lookup table type to specify
# network/netmask patterns. See cidr_table(5) for
# details.
#
# IPv6 support is available in Postfix 2.2 and later.
#
# ACCEPT ACTIONS
# OK Accept the address etc. that matches the pattern.
#
# all-numerical
# An all-numerical result is treated as OK. This for-
# mat is generated by address-based relay authoriza-
# tion schemes such as pop-before-smtp.
#
# For other accept actions, see "OTHER ACTIONS" below.
#
# REJECT ACTIONS
# Postfix version 2.3 and later support enhanced status
# codes as defined in RFC 3463. When no code is specified
# at the beginning of the text below, Postfix inserts a
# default enhanced status code of "5.7.1" in the case of
# reject actions, and "4.7.1" in the case of defer actions.
# See "ENHANCED STATUS CODES" below.
#
# 4NN text
#
# 5NN text
# Reject the address etc. that matches the pattern,
# and respond with the numerical three-digit code and
# text. 4NN means "try again later", while 5NN means
# "do not try again".
#
# The following responses have special meaning for
# the Postfix SMTP server:
#
# 421 text (Postfix 2.3 and later)
#
# 521 text (Postfix 2.6 and later)
# After responding with the numerical
# three-digit code and text, disconnect imme-
# diately from the SMTP client. This frees up
# SMTP server resources so that they can be
# made available to another SMTP client.
#
# Note: The "521" response should be used only
# with botnets and other malware where inter-
# operability is of no concern. The "send 521
# and disconnect" behavior is NOT defined in
# the SMTP standard.
#
# REJECT optional text...
# Reject the address etc. that matches the pattern.
# Reply with "$access_map_reject_code optional
# text..." when the optional text is specified, oth-
# erwise reply with a generic error response message.
#
# DEFER optional text...
# Reject the address etc. that matches the pattern.
# Reply with "$access_map_defer_code optional
# text..." when the optional text is specified, oth-
# erwise reply with a generic error response message.
#
# This feature is available in Postfix 2.6 and later.
#
# DEFER_IF_REJECT optional text...
# Defer the request if some later restriction would
# result in a REJECT action. Reply with
# "$access_map_defer_code 4.7.1 optional text..."
# when the optional text is specified, otherwise
# reply with a generic error response message.
#
# Prior to Postfix 2.6, the SMTP reply code is 450.
#
# This feature is available in Postfix 2.1 and later.
#
# DEFER_IF_PERMIT optional text...
# Defer the request if some later restriction would
# result in a an explicit or implicit PERMIT action.
# Reply with "$access_map_defer_code 4.7.1 optional
# text..." when the optional text is specified, oth-
# erwise reply with a generic error response message.
#
# Prior to Postfix 2.6, the SMTP reply code is 450.
#
# This feature is available in Postfix 2.1 and later.
#
# For other reject actions, see "OTHER ACTIONS" below.
#
# OTHER ACTIONS
# restriction...
# Apply the named UCE restriction(s) (permit, reject,
# reject_unauth_destination, and so on).
#
# BCC user@domain
# Send one copy of the message to the specified
# recipient.
#
# If multiple BCC actions are specified within the
# same SMTP MAIL transaction, with Postfix 3.0 only
# the last action will be used.
#
# This feature is available in Postfix 3.0 and later.
#
# DISCARD optional text...
# Claim successful delivery and silently discard the
# message. Log the optional text if specified, oth-
# erwise log a generic message.
#
# Note: this action currently affects all recipients
# of the message. To discard only one recipient
# without discarding the entire message, use the
# transport(5) table to direct mail to the discard(8)
# service.
#
# This feature is available in Postfix 2.0 and later.
#
# DUNNO Pretend that the lookup key was not found. This
# prevents Postfix from trying substrings of the
# lookup key (such as a subdomain name, or a network
# address subnetwork).
#
# This feature is available in Postfix 2.0 and later.
#
# FILTER transport:destination
# After the message is queued, send the entire mes-
# sage through the specified external content filter.
# The transport name specifies the first field of a
# mail delivery agent definition in master.cf; the
# syntax of the next-hop destination is described in
# the manual page of the corresponding delivery
# agent. More information about external content
# filters is in the Postfix FILTER_README file.
#
# Note 1: do not use $number regular expression sub-
# stitutions for transport or destination unless you
# know that the information has a trusted origin.
#
# Note 2: this action overrides the main.cf con-
# tent_filter setting, and affects all recipients of
# the message. In the case that multiple FILTER
# actions fire, only the last one is executed.
#
# Note 3: the purpose of the FILTER command is to
# override message routing. To override the recipi-
# ent's transport but not the next-hop destination,
# specify an empty filter destination (Postfix 2.7
# and later), or specify a transport:destination that
# delivers through a different Postfix instance
# (Postfix 2.6 and earlier). Other options are using
# the recipient-dependent transport_maps or the sen-
# der-dependent sender_dependent_default_transport-
# _maps features.
#
# This feature is available in Postfix 2.0 and later.
#
# HOLD optional text...
# Place the message on the hold queue, where it will
# sit until someone either deletes it or releases it
# for delivery. Log the optional text if specified,
# otherwise log a generic message.
#
# Mail that is placed on hold can be examined with
# the postcat(1) command, and can be destroyed or
# released with the postsuper(1) command.
#
# Note: use "postsuper -r" to release mail that was
# kept on hold for a significant fraction of $maxi-
# mal_queue_lifetime or $bounce_queue_lifetime, or
# longer. Use "postsuper -H" only for mail that will
# not expire within a few delivery attempts.
#
# Note: this action currently affects all recipients
# of the message.
#
# This feature is available in Postfix 2.0 and later.
#
# PREPEND headername: headervalue
# Prepend the specified message header to the mes-
# sage. When more than one PREPEND action executes,
# the first prepended header appears before the sec-
# ond etc. prepended header.
#
# Note: this action must execute before the message
# content is received; it cannot execute in the con-
# text of smtpd_end_of_data_restrictions.
#
# This feature is available in Postfix 2.1 and later.
#
# REDIRECT user@domain
# After the message is queued, send the message to
# the specified address instead of the intended
# recipient(s). When multiple REDIRECT actions fire,
# only the last one takes effect.
#
# Note: this action overrides the FILTER action, and
# currently overrides all recipients of the message.
#
# This feature is available in Postfix 2.1 and later.
#
# INFO optional text...
# Log an informational record with the optional text,
# together with client information and if available,
# with helo, sender, recipient and protocol informa-
# tion.
#
# This feature is available in Postfix 3.0 and later.
#
# WARN optional text...
# Log a warning with the optional text, together with
# client information and if available, with helo,
# sender, recipient and protocol information.
#
# This feature is available in Postfix 2.1 and later.
#
# ENHANCED STATUS CODES
# Postfix version 2.3 and later support enhanced status
# codes as defined in RFC 3463. When an enhanced status
# code is specified in an access table, it is subject to
# modification. The following transformations are needed
# when the same access table is used for client, helo,
# sender, or recipient access restrictions; they happen
# regardless of whether Postfix replies to a MAIL FROM, RCPT
# TO or other SMTP command.
#
# o When a sender address matches a REJECT action, the
# Postfix SMTP server will transform a recipient DSN
# status (e.g., 4.1.1-4.1.6) into the corresponding
# sender DSN status, and vice versa.
#
# o When non-address information matches a REJECT
# action (such as the HELO command argument or the
# client hostname/address), the Postfix SMTP server
# will transform a sender or recipient DSN status
# into a generic non-address DSN status (e.g.,
# 4.0.0).
#
# REGULAR EXPRESSION TABLES
# This section describes how the table lookups change when
# the table is given in the form of regular expressions. For
# a description of regular expression lookup table syntax,
# see regexp_table(5) or pcre_table(5).
#
# Each pattern is a regular expression that is applied to
# the entire string being looked up. Depending on the appli-
# cation, that string is an entire client hostname, an
# entire client IP address, or an entire mail address. Thus,
# no parent domain or parent network search is done,
# user@domain mail addresses are not broken up into their
# user@ and domain constituent parts, nor is user+foo broken
# up into user and foo.
#
# Patterns are applied in the order as specified in the ta-
# ble, until a pattern is found that matches the search
# string.
#
# Actions are the same as with indexed file lookups, with
# the additional feature that parenthesized substrings from
# the pattern can be interpolated as $1, $2 and so on.
#
# TCP-BASED TABLES
# This section describes how the table lookups change when
# lookups are directed to a TCP-based server. For a descrip-
# tion of the TCP client/server lookup protocol, see tcp_ta-
# ble(5). This feature is not available up to and including
# Postfix version 2.4.
#
# Each lookup operation uses the entire query string once.
# Depending on the application, that string is an entire
# client hostname, an entire client IP address, or an entire
# mail address. Thus, no parent domain or parent network
# search is done, user@domain mail addresses are not broken
# up into their user@ and domain constituent parts, nor is
# user+foo broken up into user and foo.
#
# Actions are the same as with indexed file lookups.
#
# EXAMPLE
# The following example uses an indexed file, so that the
# order of table entries does not matter. The example per-
# mits access by the client at address 1.2.3.4 but rejects
# all other clients in 1.2.3.0/24. Instead of hash lookup
# tables, some systems use dbm. Use the command "postconf
# -m" to find out what lookup tables Postfix supports on
# your system.
#
# /etc/postfix/main.cf:
# smtpd_client_restrictions =
# check_client_access hash:/etc/postfix/access
#
# /etc/postfix/access:
# 1.2.3 REJECT
# 1.2.3.4 OK
#
# Execute the command "postmap /etc/postfix/access" after
# editing the file.
#
# BUGS
# The table format does not understand quoting conventions.
#
# SEE ALSO
# postmap(1), Postfix lookup table manager
# smtpd(8), SMTP server
# postconf(5), configuration parameters
# transport(5), transport:nexthop syntax
#
# README FILES
# Use "postconf readme_directory" or "postconf html_direc-
# tory" to locate this information.
# SMTPD_ACCESS_README, built-in SMTP server access control
# DATABASE_README, Postfix lookup table overview
#
# LICENSE
# The Secure Mailer license must be distributed with this
# software.
#
# AUTHOR(S)
# Wietse Venema
# IBM T.J. Watson Research
# P.O. Box 704
# Yorktown Heights, NY 10598, USA
#
# Wietse Venema
# Google, Inc.
# 111 8th Avenue
# New York, NY 10011, USA
#
# ACCESS(5)

307
postfix/canonical.rpmnew
View File

@@ -1,307 +0,0 @@
# CANONICAL(5) CANONICAL(5)
#
# NAME
# canonical - Postfix canonical table format
#
# SYNOPSIS
# postmap /etc/postfix/canonical
#
# postmap -q "string" /etc/postfix/canonical
#
# postmap -q - /etc/postfix/canonical <inputfile
#
# DESCRIPTION
# The optional canonical(5) table specifies an address map-
# ping for local and non-local addresses. The mapping is
# used by the cleanup(8) daemon, before mail is stored into
# the queue. The address mapping is recursive.
#
# Normally, the canonical(5) table is specified as a text
# file that serves as input to the postmap(1) command. The
# result, an indexed file in dbm or db format, is used for
# fast searching by the mail system. Execute the command
# "postmap /etc/postfix/canonical" to rebuild an indexed
# file after changing the corresponding text file.
#
# When the table is provided via other means such as NIS,
# LDAP or SQL, the same lookups are done as for ordinary
# indexed files.
#
# Alternatively, the table can be provided as a regu-
# lar-expression map where patterns are given as regular
# expressions, or lookups can be directed to TCP-based
# server. In those cases, the lookups are done in a slightly
# different way as described below under "REGULAR EXPRESSION
# TABLES" or "TCP-BASED TABLES".
#
# By default the canonical(5) mapping affects both message
# header addresses (i.e. addresses that appear inside mes-
# sages) and message envelope addresses (for example, the
# addresses that are used in SMTP protocol commands). This
# is controlled with the canonical_classes parameter.
#
# NOTE: Postfix versions 2.2 and later rewrite message head-
# ers from remote SMTP clients only if the client matches
# the local_header_rewrite_clients parameter, or if the
# remote_header_rewrite_domain configuration parameter spec-
# ifies a non-empty value. To get the behavior before Post-
# fix 2.2, specify "local_header_rewrite_clients =
# static:all".
#
# Typically, one would use the canonical(5) table to replace
# login names by Firstname.Lastname, or to clean up
# addresses produced by legacy mail systems.
#
# The canonical(5) mapping is not to be confused with vir-
# tual alias support or with local aliasing. To change the
# destination but not the headers, use the virtual(5) or
# aliases(5) map instead.
#
# CASE FOLDING
# The search string is folded to lowercase before database
# lookup. As of Postfix 2.3, the search string is not case
# folded with database types such as regexp: or pcre: whose
# lookup fields can match both upper and lower case.
#
# TABLE FORMAT
# The input format for the postmap(1) command is as follows:
#
# pattern address
# When pattern matches a mail address, replace it by
# the corresponding address.
#
# blank lines and comments
# Empty lines and whitespace-only lines are ignored,
# as are lines whose first non-whitespace character
# is a `#'.
#
# multi-line text
# A logical line starts with non-whitespace text. A
# line that starts with whitespace continues a logi-
# cal line.
#
# TABLE SEARCH ORDER
# With lookups from indexed files such as DB or DBM, or from
# networked tables such as NIS, LDAP or SQL, each
# user@domain query produces a sequence of query patterns as
# described below.
#
# Each query pattern is sent to each specified lookup table
# before trying the next query pattern, until a match is
# found.
#
# user@domain address
# Replace user@domain by address. This form has the
# highest precedence.
#
# This is useful to clean up addresses produced by
# legacy mail systems. It can also be used to pro-
# duce Firstname.Lastname style addresses, but see
# below for a simpler solution.
#
# user address
# Replace user@site by address when site is equal to
# $myorigin, when site is listed in $mydestination,
# or when it is listed in $inet_interfaces or
# $proxy_interfaces.
#
# This form is useful for replacing login names by
# Firstname.Lastname.
#
# @domain address
# Replace other addresses in domain by address. This
# form has the lowest precedence.
#
# Note: @domain is a wild-card. When this form is
# applied to recipient addresses, the Postfix SMTP
# server accepts mail for any recipient in domain,
# regardless of whether that recipient exists. This
# may turn your mail system into a backscatter
# source: Postfix first accepts mail for non-existent
# recipients and then tries to return that mail as
# "undeliverable" to the often forged sender address.
#
# To avoid backscatter with mail for a wild-card
# domain, replace the wild-card mapping with explicit
# 1:1 mappings, or add a reject_unverified_recipient
# restriction for that domain:
#
# smtpd_recipient_restrictions =
# ...
# reject_unauth_destination
# check_recipient_access
# inline:{example.com=reject_unverified_recipient}
# unverified_recipient_reject_code = 550
#
# In the above example, Postfix may contact a remote
# server if the recipient is rewritten to a remote
# address.
#
# RESULT ADDRESS REWRITING
# The lookup result is subject to address rewriting:
#
# o When the result has the form @otherdomain, the
# result becomes the same user in otherdomain.
#
# o When "append_at_myorigin=yes", append "@$myorigin"
# to addresses without "@domain".
#
# o When "append_dot_mydomain=yes", append ".$mydomain"
# to addresses without ".domain".
#
# ADDRESS EXTENSION
# When a mail address localpart contains the optional recip-
# ient delimiter (e.g., user+foo@domain), the lookup order
# becomes: user+foo@domain, user@domain, user+foo, user, and
# @domain.
#
# The propagate_unmatched_extensions parameter controls
# whether an unmatched address extension (+foo) is propa-
# gated to the result of table lookup.
#
# REGULAR EXPRESSION TABLES
# This section describes how the table lookups change when
# the table is given in the form of regular expressions. For
# a description of regular expression lookup table syntax,
# see regexp_table(5) or pcre_table(5).
#
# Each pattern is a regular expression that is applied to
# the entire address being looked up. Thus, user@domain mail
# addresses are not broken up into their user and @domain
# constituent parts, nor is user+foo broken up into user and
# foo.
#
# Patterns are applied in the order as specified in the ta-
# ble, until a pattern is found that matches the search
# string.
#
# Results are the same as with indexed file lookups, with
# the additional feature that parenthesized substrings from
# the pattern can be interpolated as $1, $2 and so on.
#
# TCP-BASED TABLES
# This section describes how the table lookups change when
# lookups are directed to a TCP-based server. For a descrip-
# tion of the TCP client/server lookup protocol, see tcp_ta-
# ble(5). This feature is not available up to and including
# Postfix version 2.4.
#
# Each lookup operation uses the entire address once. Thus,
# user@domain mail addresses are not broken up into their
# user and @domain constituent parts, nor is user+foo broken
# up into user and foo.
#
# Results are the same as with indexed file lookups.
#
# BUGS
# The table format does not understand quoting conventions.
#
# CONFIGURATION PARAMETERS
# The following main.cf parameters are especially relevant.
# The text below provides only a parameter summary. See
# postconf(5) for more details including examples.
#
# canonical_classes (envelope_sender, envelope_recipient,
# header_sender, header_recipient)
# What addresses are subject to canonical_maps
# address mapping.
#
# canonical_maps (empty)
# Optional address mapping lookup tables for message
# headers and envelopes.
#
# recipient_canonical_maps (empty)
# Optional address mapping lookup tables for envelope
# and header recipient addresses.
#
# sender_canonical_maps (empty)
# Optional address mapping lookup tables for envelope
# and header sender addresses.
#
# propagate_unmatched_extensions (canonical, virtual)
# What address lookup tables copy an address exten-
# sion from the lookup key to the lookup result.
#
# Other parameters of interest:
#
# inet_interfaces (all)
# The network interface addresses that this mail sys-
# tem receives mail on.
#
# local_header_rewrite_clients (permit_inet_interfaces)
# Rewrite message header addresses in mail from these
# clients and update incomplete addresses with the
# domain name in $myorigin or $mydomain; either don't
# rewrite message headers from other clients at all,
# or rewrite message headers and update incomplete
# addresses with the domain specified in the
# remote_header_rewrite_domain parameter.
#
# proxy_interfaces (empty)
# The network interface addresses that this mail sys-
# tem receives mail on by way of a proxy or network
# address translation unit.
#
# masquerade_classes (envelope_sender, header_sender,
# header_recipient)
# What addresses are subject to address masquerading.
#
# masquerade_domains (empty)
# Optional list of domains whose subdomain structure
# will be stripped off in email addresses.
#
# masquerade_exceptions (empty)
# Optional list of user names that are not subjected
# to address masquerading, even when their address
# matches $masquerade_domains.
#
# mydestination ($myhostname, localhost.$mydomain, local-
# host)
# The list of domains that are delivered via the
# $local_transport mail delivery transport.
#
# myorigin ($myhostname)
# The domain name that locally-posted mail appears to
# come from, and that locally posted mail is deliv-
# ered to.
#
# owner_request_special (yes)
# Enable special treatment for owner-listname entries
# in the aliases(5) file, and don't split owner-list-
# name and listname-request address localparts when
# the recipient_delimiter is set to "-".
#
# remote_header_rewrite_domain (empty)
# Don't rewrite message headers from remote clients
# at all when this parameter is empty; otherwise, re-
# write message headers and append the specified
# domain name to incomplete addresses.
#
# SEE ALSO
# cleanup(8), canonicalize and enqueue mail
# postmap(1), Postfix lookup table manager
# postconf(5), configuration parameters
# virtual(5), virtual aliasing
#
# README FILES
# Use "postconf readme_directory" or "postconf html_direc-
# tory" to locate this information.
# DATABASE_README, Postfix lookup table overview
# ADDRESS_REWRITING_README, address rewriting guide
#
# LICENSE
# The Secure Mailer license must be distributed with this
# software.
#
# AUTHOR(S)
# Wietse Venema
# IBM T.J. Watson Research
# P.O. Box 704
# Yorktown Heights, NY 10598, USA
#
# Wietse Venema
# Google, Inc.
# 111 8th Avenue
# New York, NY 10011, USA
#
# CANONICAL(5)

738
postfix/main.cf.rpmnew
View File

@@ -1,738 +0,0 @@
# Global Postfix configuration file. This file lists only a subset
# of all parameters. For the syntax, and for a complete parameter
# list, see the postconf(5) manual page (command: "man 5 postconf").
#
# For common configuration examples, see BASIC_CONFIGURATION_README
# and STANDARD_CONFIGURATION_README. To find these documents, use
# the command "postconf html_directory readme_directory", or go to
# http://www.postfix.org/BASIC_CONFIGURATION_README.html etc.
#
# For best results, change no more than 2-3 parameters at a time,
# and test if Postfix still works after every change.
# COMPATIBILITY
#
# The compatibility_level determines what default settings Postfix
# will use for main.cf and master.cf settings. These defaults will
# change over time.
#
# To avoid breaking things, Postfix will use backwards-compatible
# default settings and log where it uses those old backwards-compatible
# default settings, until the system administrator has determined
# if any backwards-compatible default settings need to be made
# permanent in main.cf or master.cf.
#
# When this review is complete, update the compatibility_level setting
# below as recommended in the RELEASE_NOTES file.
#
# The level below is what should be used with new (not upgrade) installs.
#
compatibility_level = 2
# SOFT BOUNCE
#
# The soft_bounce parameter provides a limited safety net for
# testing. When soft_bounce is enabled, mail will remain queued that
# would otherwise bounce. This parameter disables locally-generated
# bounces, and prevents the SMTP server from rejecting mail permanently
# (by changing 5xx replies into 4xx replies). However, soft_bounce
# is no cure for address rewriting mistakes or mail routing mistakes.
#
#soft_bounce = no
# LOCAL PATHNAME INFORMATION
#
# The queue_directory specifies the location of the Postfix queue.
# This is also the root directory of Postfix daemons that run chrooted.
# See the files in examples/chroot-setup for setting up Postfix chroot
# environments on different UNIX systems.
#
queue_directory = /var/spool/postfix
# The command_directory parameter specifies the location of all
# postXXX commands.
#
command_directory = /usr/sbin
# The daemon_directory parameter specifies the location of all Postfix
# daemon programs (i.e. programs listed in the master.cf file). This
# directory must be owned by root.
#
daemon_directory = /usr/libexec/postfix
# The data_directory parameter specifies the location of Postfix-writable
# data files (caches, random numbers). This directory must be owned
# by the mail_owner account (see below).
#
data_directory = /var/lib/postfix
# QUEUE AND PROCESS OWNERSHIP
#
# The mail_owner parameter specifies the owner of the Postfix queue
# and of most Postfix daemon processes. Specify the name of a user
# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS
# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. In
# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED
# USER.
#
mail_owner = postfix
# The default_privs parameter specifies the default rights used by
# the local delivery agent for delivery to external file or command.
# These rights are used in the absence of a recipient user context.
# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER.
#
#default_privs = nobody
# INTERNET HOST AND DOMAIN NAMES
#
# The myhostname parameter specifies the internet hostname of this
# mail system. The default is to use the fully-qualified domain name
# from gethostname(). $myhostname is used as a default value for many
# other configuration parameters.
#
#myhostname = host.domain.tld
#myhostname = virtual.domain.tld
# The mydomain parameter specifies the local internet domain name.
# The default is to use $myhostname minus the first component.
# $mydomain is used as a default value for many other configuration
# parameters.
#
#mydomain = domain.tld
# SENDING MAIL
#
# The myorigin parameter specifies the domain that locally-posted
# mail appears to come from. The default is to append $myhostname,
# which is fine for small sites. If you run a domain with multiple
# machines, you should (1) change this to $mydomain and (2) set up
# a domain-wide alias database that aliases each user to
# user@that.users.mailhost.
#
# For the sake of consistency between sender and recipient addresses,
# myorigin also specifies the default domain name that is appended
# to recipient addresses that have no @domain part.
#
#myorigin = $myhostname
#myorigin = $mydomain
# RECEIVING MAIL
# The inet_interfaces parameter specifies the network interface
# addresses that this mail system receives mail on. By default,
# the software claims all active interfaces on the machine. The
# parameter also controls delivery of mail to user@[ip.address].
#
# See also the proxy_interfaces parameter, for network addresses that
# are forwarded to us via a proxy or network address translator.
#
# Note: you need to stop/start Postfix when this parameter changes.
#
#inet_interfaces = all
#inet_interfaces = $myhostname
#inet_interfaces = $myhostname, localhost
inet_interfaces = localhost
# Enable IPv4, and IPv6 if supported
inet_protocols = all
# The proxy_interfaces parameter specifies the network interface
# addresses that this mail system receives mail on by way of a
# proxy or network address translation unit. This setting extends
# the address list specified with the inet_interfaces parameter.
#
# You must specify your proxy/NAT addresses when your system is a
# backup MX host for other domains, otherwise mail delivery loops
# will happen when the primary MX host is down.
#
#proxy_interfaces =
#proxy_interfaces = 1.2.3.4
# The mydestination parameter specifies the list of domains that this
# machine considers itself the final destination for.
#
# These domains are routed to the delivery agent specified with the
# local_transport parameter setting. By default, that is the UNIX
# compatible delivery agent that lookups all recipients in /etc/passwd
# and /etc/aliases or their equivalent.
#
# The default is $myhostname + localhost.$mydomain + localhost. On
# a mail domain gateway, you should also include $mydomain.
#
# Do not specify the names of virtual domains - those domains are
# specified elsewhere (see VIRTUAL_README).
#
# Do not specify the names of domains that this machine is backup MX
# host for. Specify those names via the relay_domains settings for
# the SMTP server, or use permit_mx_backup if you are lazy (see
# STANDARD_CONFIGURATION_README).
#
# The local machine is always the final destination for mail addressed
# to user@[the.net.work.address] of an interface that the mail system
# receives mail on (see the inet_interfaces parameter).
#
# Specify a list of host or domain names, /file/name or type:table
# patterns, separated by commas and/or whitespace. A /file/name
# pattern is replaced by its contents; a type:table is matched when
# a name matches a lookup key (the right-hand side is ignored).
# Continue long lines by starting the next line with whitespace.
#
# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS".
#
mydestination = $myhostname, localhost.$mydomain, localhost
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
# mail.$mydomain, www.$mydomain, ftp.$mydomain
# REJECTING MAIL FOR UNKNOWN LOCAL USERS
#
# The local_recipient_maps parameter specifies optional lookup tables
# with all names or addresses of users that are local with respect
# to $mydestination, $inet_interfaces or $proxy_interfaces.
#
# If this parameter is defined, then the SMTP server will reject
# mail for unknown local users. This parameter is defined by default.
#
# To turn off local recipient checking in the SMTP server, specify
# local_recipient_maps = (i.e. empty).
#
# The default setting assumes that you use the default Postfix local
# delivery agent for local delivery. You need to update the
# local_recipient_maps setting if:
#
# - You define $mydestination domain recipients in files other than
# /etc/passwd, /etc/aliases, or the $virtual_alias_maps files.
# For example, you define $mydestination domain recipients in
# the $virtual_mailbox_maps files.
#
# - You redefine the local delivery agent in master.cf.
#
# - You redefine the "local_transport" setting in main.cf.
#
# - You use the "luser_relay", "mailbox_transport", or "fallback_transport"
# feature of the Postfix local delivery agent (see local(8)).
#
# Details are described in the LOCAL_RECIPIENT_README file.
#
# Beware: if the Postfix SMTP server runs chrooted, you probably have
# to access the passwd file via the proxymap service, in order to
# overcome chroot restrictions. The alternative, having a copy of
# the system passwd file in the chroot jail is just not practical.
#
# The right-hand side of the lookup tables is conveniently ignored.
# In the left-hand side, specify a bare username, an @domain.tld
# wild-card, or specify a user@domain.tld address.
#
#local_recipient_maps = unix:passwd.byname $alias_maps
#local_recipient_maps = proxy:unix:passwd.byname $alias_maps
#local_recipient_maps =
# The unknown_local_recipient_reject_code specifies the SMTP server
# response code when a recipient domain matches $mydestination or
# ${proxy,inet}_interfaces, while $local_recipient_maps is non-empty
# and the recipient address or address local-part is not found.
#
# The default setting is 550 (reject mail) but it is safer to start
# with 450 (try again later) until you are certain that your
# local_recipient_maps settings are OK.
#
unknown_local_recipient_reject_code = 550
# TRUST AND RELAY CONTROL
# The mynetworks parameter specifies the list of "trusted" SMTP
# clients that have more privileges than "strangers".
#
# In particular, "trusted" SMTP clients are allowed to relay mail
# through Postfix. See the smtpd_recipient_restrictions parameter
# in postconf(5).
#
# You can specify the list of "trusted" network addresses by hand
# or you can let Postfix do it for you (which is the default).
#
# By default (mynetworks_style = subnet), Postfix "trusts" SMTP
# clients in the same IP subnetworks as the local machine.
# On Linux, this works correctly only with interfaces specified
# with the "ifconfig" command.
#
# Specify "mynetworks_style = class" when Postfix should "trust" SMTP
# clients in the same IP class A/B/C networks as the local machine.
# Don't do this with a dialup site - it would cause Postfix to "trust"
# your entire provider's network. Instead, specify an explicit
# mynetworks list by hand, as described below.
#
# Specify "mynetworks_style = host" when Postfix should "trust"
# only the local machine.
#
#mynetworks_style = class
#mynetworks_style = subnet
#mynetworks_style = host
# Alternatively, you can specify the mynetworks list by hand, in
# which case Postfix ignores the mynetworks_style setting.
#
# Specify an explicit list of network/netmask patterns, where the
# mask specifies the number of bits in the network part of a host
# address.
#
# You can also specify the absolute pathname of a pattern file instead
# of listing the patterns here. Specify type:table for table-based lookups
# (the value on the table right-hand side is not used).
#
#mynetworks = 168.100.189.0/28, 127.0.0.0/8
#mynetworks = $config_directory/mynetworks
#mynetworks = hash:/etc/postfix/network_table
# The relay_domains parameter restricts what destinations this system will
# relay mail to. See the smtpd_recipient_restrictions description in
# postconf(5) for detailed information.
#
# By default, Postfix relays mail
# - from "trusted" clients (IP address matches $mynetworks) to any destination,
# - from "untrusted" clients to destinations that match $relay_domains or
# subdomains thereof, except addresses with sender-specified routing.
# The default relay_domains value is $mydestination.
#
# In addition to the above, the Postfix SMTP server by default accepts mail
# that Postfix is final destination for:
# - destinations that match $inet_interfaces or $proxy_interfaces,
# - destinations that match $mydestination
# - destinations that match $virtual_alias_domains,
# - destinations that match $virtual_mailbox_domains.
# These destinations do not need to be listed in $relay_domains.
#
# Specify a list of hosts or domains, /file/name patterns or type:name
# lookup tables, separated by commas and/or whitespace. Continue
# long lines by starting the next line with whitespace. A file name
# is replaced by its contents; a type:name table is matched when a
# (parent) domain appears as lookup key.
#
# NOTE: Postfix will not automatically forward mail for domains that
# list this system as their primary or backup MX host. See the
# permit_mx_backup restriction description in postconf(5).
#
#relay_domains = $mydestination
# INTERNET OR INTRANET
# The relayhost parameter specifies the default host to send mail to
# when no entry is matched in the optional transport(5) table. When
# no relayhost is given, mail is routed directly to the destination.
#
# On an intranet, specify the organizational domain name. If your
# internal DNS uses no MX records, specify the name of the intranet
# gateway host instead.
#
# In the case of SMTP, specify a domain, host, host:port, [host]:port,
# [address] or [address]:port; the form [host] turns off MX lookups.
#
# If you're connected via UUCP, see also the default_transport parameter.
#
#relayhost = $mydomain
#relayhost = [gateway.my.domain]
#relayhost = [mailserver.isp.tld]
#relayhost = uucphost
#relayhost = [an.ip.add.ress]
# REJECTING UNKNOWN RELAY USERS
#
# The relay_recipient_maps parameter specifies optional lookup tables
# with all addresses in the domains that match $relay_domains.
#
# If this parameter is defined, then the SMTP server will reject
# mail for unknown relay users. This feature is off by default.
#
# The right-hand side of the lookup tables is conveniently ignored.
# In the left-hand side, specify an @domain.tld wild-card, or specify
# a user@domain.tld address.
#
#relay_recipient_maps = hash:/etc/postfix/relay_recipients
# INPUT RATE CONTROL
#
# The in_flow_delay configuration parameter implements mail input
# flow control. This feature is turned on by default, although it
# still needs further development (it's disabled on SCO UNIX due
# to an SCO bug).
#
# A Postfix process will pause for $in_flow_delay seconds before
# accepting a new message, when the message arrival rate exceeds the
# message delivery rate. With the default 100 SMTP server process
# limit, this limits the mail inflow to 100 messages a second more
# than the number of messages delivered per second.
#
# Specify 0 to disable the feature. Valid delays are 0..10.
#
#in_flow_delay = 1s
# ADDRESS REWRITING
#
# The ADDRESS_REWRITING_README document gives information about
# address masquerading or other forms of address rewriting including
# username->Firstname.Lastname mapping.
# ADDRESS REDIRECTION (VIRTUAL DOMAIN)
#
# The VIRTUAL_README document gives information about the many forms
# of domain hosting that Postfix supports.
# "USER HAS MOVED" BOUNCE MESSAGES
#
# See the discussion in the ADDRESS_REWRITING_README document.
# TRANSPORT MAP
#
# See the discussion in the ADDRESS_REWRITING_README document.
# ALIAS DATABASE
#
# The alias_maps parameter specifies the list of alias databases used
# by the local delivery agent. The default list is system dependent.
#
# On systems with NIS, the default is to search the local alias
# database, then the NIS alias database. See aliases(5) for syntax
# details.
#
# If you change the alias database, run "postalias /etc/aliases" (or
# wherever your system stores the mail alias file), or simply run
# "newaliases" to build the necessary DBM or DB file.
#
# It will take a minute or so before changes become visible. Use
# "postfix reload" to eliminate the delay.
#
#alias_maps = dbm:/etc/aliases
alias_maps = hash:/etc/aliases
#alias_maps = hash:/etc/aliases, nis:mail.aliases
#alias_maps = netinfo:/aliases
# The alias_database parameter specifies the alias database(s) that
# are built with "newaliases" or "sendmail -bi". This is a separate
# configuration parameter, because alias_maps (see above) may specify
# tables that are not necessarily all under control by Postfix.
#
#alias_database = dbm:/etc/aliases
#alias_database = dbm:/etc/mail/aliases
alias_database = hash:/etc/aliases
#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases
# ADDRESS EXTENSIONS (e.g., user+foo)
#
# The recipient_delimiter parameter specifies the separator between
# user names and address extensions (user+foo). See canonical(5),
# local(8), relocated(5) and virtual(5) for the effects this has on
# aliases, canonical, virtual, relocated and .forward file lookups.
# Basically, the software tries user+foo and .forward+foo before
# trying user and .forward.
#
#recipient_delimiter = +
# DELIVERY TO MAILBOX
#
# The home_mailbox parameter specifies the optional pathname of a
# mailbox file relative to a user's home directory. The default
# mailbox file is /var/spool/mail/user or /var/mail/user. Specify
# "Maildir/" for qmail-style delivery (the / is required).
#
#home_mailbox = Mailbox
#home_mailbox = Maildir/
# The mail_spool_directory parameter specifies the directory where
# UNIX-style mailboxes are kept. The default setting depends on the
# system type.
#
#mail_spool_directory = /var/mail
#mail_spool_directory = /var/spool/mail
# The mailbox_command parameter specifies the optional external
# command to use instead of mailbox delivery. The command is run as
# the recipient with proper HOME, SHELL and LOGNAME environment settings.
# Exception: delivery for root is done as $default_user.
#
# Other environment variables of interest: USER (recipient username),
# EXTENSION (address extension), DOMAIN (domain part of address),
# and LOCAL (the address localpart).
#
# Unlike other Postfix configuration parameters, the mailbox_command
# parameter is not subjected to $parameter substitutions. This is to
# make it easier to specify shell syntax (see example below).
#
# Avoid shell meta characters because they will force Postfix to run
# an expensive shell process. Procmail alone is expensive enough.
#
# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN
# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER.
#
#mailbox_command = /some/where/procmail
#mailbox_command = /some/where/procmail -a "$EXTENSION"
# The mailbox_transport specifies the optional transport in master.cf
# to use after processing aliases and .forward files. This parameter
# has precedence over the mailbox_command, fallback_transport and
# luser_relay parameters.
#
# Specify a string of the form transport:nexthop, where transport is
# the name of a mail delivery transport defined in master.cf. The
# :nexthop part is optional. For more details see the sample transport
# configuration file.
#
# NOTE: if you use this feature for accounts not in the UNIX password
# file, then you must update the "local_recipient_maps" setting in
# the main.cf file, otherwise the SMTP server will reject mail for
# non-UNIX accounts with "User unknown in local recipient table".
#
# Cyrus IMAP over LMTP. Specify ``lmtpunix cmd="lmtpd"
# listen="/var/imap/socket/lmtp" prefork=0'' in cyrus.conf.
#mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
# If using the cyrus-imapd IMAP server deliver local mail to the IMAP
# server using LMTP (Local Mail Transport Protocol), this is prefered
# over the older cyrus deliver program by setting the
# mailbox_transport as below:
#
# mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
#
# The efficiency of LMTP delivery for cyrus-imapd can be enhanced via
# these settings.
#
# local_destination_recipient_limit = 300
# local_destination_concurrency_limit = 5
#
# Of course you should adjust these settings as appropriate for the
# capacity of the hardware you are using. The recipient limit setting
# can be used to take advantage of the single instance message store
# capability of Cyrus. The concurrency limit can be used to control
# how many simultaneous LMTP sessions will be permitted to the Cyrus
# message store.
#
# Cyrus IMAP via command line. Uncomment the "cyrus...pipe" and
# subsequent line in master.cf.
#mailbox_transport = cyrus
# The fallback_transport specifies the optional transport in master.cf
# to use for recipients that are not found in the UNIX passwd database.
# This parameter has precedence over the luser_relay parameter.
#
# Specify a string of the form transport:nexthop, where transport is
# the name of a mail delivery transport defined in master.cf. The
# :nexthop part is optional. For more details see the sample transport
# configuration file.
#
# NOTE: if you use this feature for accounts not in the UNIX password
# file, then you must update the "local_recipient_maps" setting in
# the main.cf file, otherwise the SMTP server will reject mail for
# non-UNIX accounts with "User unknown in local recipient table".
#
#fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp
#fallback_transport =
# The luser_relay parameter specifies an optional destination address
# for unknown recipients. By default, mail for unknown@$mydestination,
# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned
# as undeliverable.
#
# The following expansions are done on luser_relay: $user (recipient
# username), $shell (recipient shell), $home (recipient home directory),
# $recipient (full recipient address), $extension (recipient address
# extension), $domain (recipient domain), $local (entire recipient
# localpart), $recipient_delimiter. Specify ${name?value} or
# ${name:value} to expand value only when $name does (does not) exist.
#
# luser_relay works only for the default Postfix local delivery agent.
#
# NOTE: if you use this feature for accounts not in the UNIX password
# file, then you must specify "local_recipient_maps =" (i.e. empty) in
# the main.cf file, otherwise the SMTP server will reject mail for
# non-UNIX accounts with "User unknown in local recipient table".
#
#luser_relay = $user@other.host
#luser_relay = $local@other.host
#luser_relay = admin+$local
# JUNK MAIL CONTROLS
#
# The controls listed here are only a very small subset. The file
# SMTPD_ACCESS_README provides an overview.
# The header_checks parameter specifies an optional table with patterns
# that each logical message header is matched against, including
# headers that span multiple physical lines.
#
# By default, these patterns also apply to MIME headers and to the
# headers of attached messages. With older Postfix versions, MIME and
# attached message headers were treated as body text.
#
# For details, see "man header_checks".
#
#header_checks = regexp:/etc/postfix/header_checks
# FAST ETRN SERVICE
#
# Postfix maintains per-destination logfiles with information about
# deferred mail, so that mail can be flushed quickly with the SMTP
# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld".
# See the ETRN_README document for a detailed description.
#
# The fast_flush_domains parameter controls what destinations are
# eligible for this service. By default, they are all domains that
# this server is willing to relay mail to.
#
#fast_flush_domains = $relay_domains
# SHOW SOFTWARE VERSION OR NOT
#
# The smtpd_banner parameter specifies the text that follows the 220
# code in the SMTP server's greeting banner. Some people like to see
# the mail version advertised. By default, Postfix shows no version.
#
# You MUST specify $myhostname at the start of the text. That is an
# RFC requirement. Postfix itself does not care.
#
#smtpd_banner = $myhostname ESMTP $mail_name
#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
# PARALLEL DELIVERY TO THE SAME DESTINATION
#
# How many parallel deliveries to the same user or domain? With local
# delivery, it does not make sense to do massively parallel delivery
# to the same user, because mailbox updates must happen sequentially,
# and expensive pipelines in .forward files can cause disasters when
# too many are run at the same time. With SMTP deliveries, 10
# simultaneous connections to the same domain could be sufficient to
# raise eyebrows.
#
# Each message delivery transport has its XXX_destination_concurrency_limit
# parameter. The default is $default_destination_concurrency_limit for
# most delivery transports. For the local delivery agent the default is 2.
#local_destination_concurrency_limit = 2
#default_destination_concurrency_limit = 20
# DEBUGGING CONTROL
#
# The debug_peer_level parameter specifies the increment in verbose
# logging level when an SMTP client or server host name or address
# matches a pattern in the debug_peer_list parameter.
#
debug_peer_level = 2
# The debug_peer_list parameter specifies an optional list of domain
# or network patterns, /file/name patterns or type:name tables. When
# an SMTP client or server host name or address matches a pattern,
# increase the verbose logging level by the amount specified in the
# debug_peer_level parameter.
#
#debug_peer_list = 127.0.0.1
#debug_peer_list = some.domain
# The debugger_command specifies the external command that is executed
# when a Postfix daemon program is run with the -D option.
#
# Use "command .. & sleep 5" so that the debugger can attach before
# the process marches on. If you use an X-based debugger, be sure to
# set up your XAUTHORITY environment variable before starting Postfix.
#
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
# If you can't use X, use this to capture the call stack when a
# daemon crashes. The result is in a file in the configuration
# directory, and is named after the process name and the process ID.
#
# debugger_command =
# PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont;
# echo where) | gdb $daemon_directory/$process_name $process_id 2>&1
# >$config_directory/$process_name.$process_id.log & sleep 5
#
# Another possibility is to run gdb under a detached screen session.
# To attach to the screen session, su root and run "screen -r
# <id_string>" where <id_string> uniquely matches one of the detached
# sessions (from "screen -list").
#
# debugger_command =
# PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen
# -dmS $process_name gdb $daemon_directory/$process_name
# $process_id & sleep 1
# INSTALL-TIME CONFIGURATION INFORMATION
#
# The following parameters are used when installing a new Postfix version.
#
# sendmail_path: The full pathname of the Postfix sendmail command.
# This is the Sendmail-compatible mail posting interface.
#
sendmail_path = /usr/sbin/sendmail.postfix
# newaliases_path: The full pathname of the Postfix newaliases command.
# This is the Sendmail-compatible command to build alias databases.
#
newaliases_path = /usr/bin/newaliases.postfix
# mailq_path: The full pathname of the Postfix mailq command. This
# is the Sendmail-compatible mail queue listing command.
#
mailq_path = /usr/bin/mailq.postfix
# setgid_group: The group for mail submission and queue management
# commands. This must be a group name with a numerical group ID that
# is not shared with other accounts, not even with the Postfix account.
#
setgid_group = postdrop
# html_directory: The location of the Postfix HTML documentation.
#
html_directory = no
# manpage_directory: The location of the Postfix on-line manual pages.
#
manpage_directory = /usr/share/man
# sample_directory: The location of the Postfix sample configuration files.
# This parameter is obsolete as of Postfix 2.1.
#
sample_directory = /usr/share/doc/postfix/samples
# readme_directory: The location of the Postfix README files.
#
readme_directory = /usr/share/doc/postfix/README_FILES
# TLS CONFIGURATION
#
# Basic Postfix TLS configuration by default with self-signed certificate
# for inbound SMTP and also opportunistic TLS for outbound SMTP.
# The full pathname of a file with the Postfix SMTP server RSA certificate
# in PEM format. Intermediate certificates should be included in general,
# the server certificate first, then the issuing CA(s) (bottom-up order).
#
smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
# The full pathname of a file with the Postfix SMTP server RSA private key
# in PEM format. The private key must be accessible without a pass-phrase,
# i.e. it must not be encrypted.
#
smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
# Announce STARTTLS support to remote SMTP clients, but do not require that
# clients use TLS encryption (opportunistic TLS inbound).
#
smtpd_tls_security_level = may
# Directory with PEM format Certification Authority certificates that the
# Postfix SMTP client uses to verify a remote SMTP server certificate.
#
smtp_tls_CApath = /etc/pki/tls/certs
# The full pathname of a file containing CA certificates of root CAs
# trusted to sign either remote SMTP server certificates or intermediate CA
# certificates.
#
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
# Use TLS if this is supported by the remote SMTP server, otherwise use
# plaintext (opportunistic TLS outbound).
#
smtp_tls_security_level = may
meta_directory = /etc/postfix
shlib_directory = /usr/lib64/postfix

133
postfix/master.cf.rpmnew
View File

@@ -1,133 +0,0 @@
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
#smtp inet n - n - 1 postscreen
#smtpd pass - - n - - smtpd
#dnsblog unix - - n - 0 dnsblog
#tlsproxy unix - - n - 0 tlsproxy
#submission inet n - n - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_auth_only=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - n - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - n - - qmqpd
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o syslog_name=postfix/$service_name
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
postlog unix-dgram n - n - 1 postlogd
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
#maildrop unix - n n - - pipe
# flags=DRXhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# flags=DRX user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
#
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
#uucp unix - n n - - pipe
# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# ====================================================================
#
# Other external delivery methods.
#
#ifmail unix - n n - - pipe
# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
#
#bsmtp unix - n n - - pipe
# flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
#
#scalemail-backend unix - n n - 2 pipe
# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
# ${nexthop} ${user} ${extension}
#
#mailman unix - n n - - pipe
# flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
# ${nexthop} ${user}

317
postfix/transport.rpmnew
View File

@@ -1,317 +0,0 @@
# TRANSPORT(5) TRANSPORT(5)
#
# NAME
# transport - Postfix transport table format
#
# SYNOPSIS
# postmap /etc/postfix/transport
#
# postmap -q "string" /etc/postfix/transport
#
# postmap -q - /etc/postfix/transport <inputfile
#
# DESCRIPTION
# The optional transport(5) table specifies a mapping from
# email addresses to message delivery transports and
# next-hop destinations. Message delivery transports such
# as local or smtp are defined in the master.cf file, and
# next-hop destinations are typically hosts or domain names.
# The table is searched by the trivial-rewrite(8) daemon.
#
# This mapping overrides the default transport:nexthop
# selection that is built into Postfix:
#
# local_transport (default: local:$myhostname)
# This is the default for final delivery to domains
# listed with mydestination, and for [ipaddress] des-
# tinations that match $inet_interfaces or
# $proxy_interfaces. The default nexthop destination
# is the MTA hostname.
#
# virtual_transport (default: virtual:)
# This is the default for final delivery to domains
# listed with virtual_mailbox_domains. The default
# nexthop destination is the recipient domain.
#
# relay_transport (default: relay:)
# This is the default for remote delivery to domains
# listed with relay_domains. In order of decreasing
# precedence, the nexthop destination is taken from
# relay_transport, sender_dependent_relayhost_maps,
# relayhost, or from the recipient domain.
#
# default_transport (default: smtp:)
# This is the default for remote delivery to other
# destinations. In order of decreasing precedence,
# the nexthop destination is taken from sender_depen-
# dent_default_transport_maps, default_transport,
# sender_dependent_relayhost_maps, relayhost, or from
# the recipient domain.
#
# Normally, the transport(5) table is specified as a text
# file that serves as input to the postmap(1) command. The
# result, an indexed file in dbm or db format, is used for
# fast searching by the mail system. Execute the command
# "postmap /etc/postfix/transport" to rebuild an indexed
# file after changing the corresponding transport table.
#
# When the table is provided via other means such as NIS,
# LDAP or SQL, the same lookups are done as for ordinary
# indexed files.
#
# Alternatively, the table can be provided as a regu-
# lar-expression map where patterns are given as regular
# expressions, or lookups can be directed to TCP-based
# server. In those case, the lookups are done in a slightly
# different way as described below under "REGULAR EXPRESSION
# TABLES" or "TCP-BASED TABLES".
#
# CASE FOLDING
# The search string is folded to lowercase before database
# lookup. As of Postfix 2.3, the search string is not case
# folded with database types such as regexp: or pcre: whose
# lookup fields can match both upper and lower case.
#
# TABLE FORMAT
# The input format for the postmap(1) command is as follows:
#
# pattern result
# When pattern matches the recipient address or
# domain, use the corresponding result.
#
# blank lines and comments
# Empty lines and whitespace-only lines are ignored,
# as are lines whose first non-whitespace character
# is a `#'.
#
# multi-line text
# A logical line starts with non-whitespace text. A
# line that starts with whitespace continues a logi-
# cal line.
#
# The pattern specifies an email address, a domain name, or
# a domain name hierarchy, as described in section "TABLE
# LOOKUP".
#
# The result is of the form transport:nexthop and specifies
# how or where to deliver mail. This is described in section
# "RESULT FORMAT".
#
# TABLE SEARCH ORDER
# With lookups from indexed files such as DB or DBM, or from
# networked tables such as NIS, LDAP or SQL, patterns are
# tried in the order as listed below:
#
# user+extension@domain transport:nexthop
# Deliver mail for user+extension@domain through
# transport to nexthop.
#
# user@domain transport:nexthop
# Deliver mail for user@domain through transport to
# nexthop.
#
# domain transport:nexthop
# Deliver mail for domain through transport to nex-
# thop.
#
# .domain transport:nexthop
# Deliver mail for any subdomain of domain through
# transport to nexthop. This applies only when the
# string transport_maps is not listed in the par-
# ent_domain_matches_subdomains configuration set-
# ting. Otherwise, a domain name matches itself and
# its subdomains.
#
# * transport:nexthop
# The special pattern * represents any address (i.e.
# it functions as the wild-card pattern, and is
# unique to Postfix transport tables).
#
# Note 1: the null recipient address is looked up as
# $empty_address_recipient@$myhostname (default: mailer-dae-
# mon@hostname).
#
# Note 2: user@domain or user+extension@domain lookup is
# available in Postfix 2.0 and later.
#
# RESULT FORMAT
# The lookup result is of the form transport:nexthop. The
# transport field specifies a mail delivery transport such
# as smtp or local. The nexthop field specifies where and
# how to deliver mail.
#
# The transport field specifies the name of a mail delivery
# transport (the first name of a mail delivery service entry
# in the Postfix master.cf file).
#
# The nexthop field usually specifies one recipient domain
# or hostname. In the case of the Postfix SMTP/LMTP client,
# the nexthop field may contain a list of nexthop destina-
# tions separated by comma or whitespace (Postfix 3.5 and
# later).
#
# The syntax of a nexthop destination is transport depen-
# dent. With SMTP, specify a service on a non-default port
# as host:service, and disable MX (mail exchanger) DNS
# lookups with [host] or [host]:port. The [] form is
# required when you specify an IP address instead of a host-
# name.
#
# A null transport and null nexthop field means "do not
# change": use the delivery transport and nexthop informa-
# tion that would be used when the entire transport table
# did not exist.
#
# A non-null transport field with a null nexthop field
# resets the nexthop information to the recipient domain.
#
# A null transport field with non-null nexthop field does
# not modify the transport information.
#
# EXAMPLES
# In order to deliver internal mail directly, while using a
# mail relay for all other mail, specify a null entry for
# internal destinations (do not change the delivery trans-
# port or the nexthop information) and specify a wildcard
# for all other destinations.
#
# my.domain :
# .my.domain :
# * smtp:outbound-relay.my.domain
#
# In order to send mail for example.com and its subdomains
# via the uucp transport to the UUCP host named example:
#
# example.com uucp:example
# .example.com uucp:example
#
# When no nexthop host name is specified, the destination
# domain name is used instead. For example, the following
# directs mail for user@example.com via the slow transport
# to a mail exchanger for example.com. The slow transport
# could be configured to run at most one delivery process at
# a time:
#
# example.com slow:
#
# When no transport is specified, Postfix uses the transport
# that matches the address domain class (see DESCRIPTION
# above). The following sends all mail for example.com and
# its subdomains to host gateway.example.com:
#
# example.com :[gateway.example.com]
# .example.com :[gateway.example.com]
#
# In the above example, the [] suppress MX lookups. This
# prevents mail routing loops when your machine is primary
# MX host for example.com.
#
# In the case of delivery via SMTP or LMTP, one may specify
# host:service instead of just a host:
#
# example.com smtp:bar.example:2025
#
# This directs mail for user@example.com to host bar.example
# port 2025. Instead of a numerical port a symbolic name may
# be used. Specify [] around the hostname if MX lookups must
# be disabled.
#
# Deliveries via SMTP or LMTP support multiple destinations
# (Postfix >= 3.5):
#
# example.com smtp:bar.example, foo.example
#
# This tries to deliver to bar.example before trying to
# deliver to foo.example.
#
# The error mailer can be used to bounce mail:
#
# .example.com error:mail for *.example.com is not deliverable
#
# This causes all mail for user@anything.example.com to be
# bounced.
#
# REGULAR EXPRESSION TABLES
# This section describes how the table lookups change when
# the table is given in the form of regular expressions. For
# a description of regular expression lookup table syntax,
# see regexp_table(5) or pcre_table(5).
#
# Each pattern is a regular expression that is applied to
# the entire address being looked up. Thus,
# some.domain.hierarchy is not looked up via its parent
# domains, nor is user+foo@domain looked up as user@domain.
#
# Patterns are applied in the order as specified in the ta-
# ble, until a pattern is found that matches the search
# string.
#
# The trivial-rewrite(8) server disallows regular expression
# substitution of $1 etc. in regular expression lookup
# tables, because that could open a security hole (Postfix
# version 2.3 and later).
#
# TCP-BASED TABLES
# This section describes how the table lookups change when
# lookups are directed to a TCP-based server. For a descrip-
# tion of the TCP client/server lookup protocol, see tcp_ta-
# ble(5). This feature is not available up to and including
# Postfix version 2.4.
#
# Each lookup operation uses the entire recipient address
# once. Thus, some.domain.hierarchy is not looked up via
# its parent domains, nor is user+foo@domain looked up as
# user@domain.
#
# Results are the same as with indexed file lookups.
#
# CONFIGURATION PARAMETERS
# The following main.cf parameters are especially relevant.
# The text below provides only a parameter summary. See
# postconf(5) for more details including examples.
#
# empty_address_recipient (MAILER-DAEMON)
# The recipient of mail addressed to the null
# address.
#
# parent_domain_matches_subdomains (see 'postconf -d' out-
# put)
# A list of Postfix features where the pattern "exam-
# ple.com" also matches subdomains of example.com,
# instead of requiring an explicit ".example.com"
# pattern.
#
# transport_maps (empty)
# Optional lookup tables with mappings from recipient
# address to (message delivery transport, next-hop
# destination).
#
# SEE ALSO
# trivial-rewrite(8), rewrite and resolve addresses
# master(5), master.cf file format
# postconf(5), configuration parameters
# postmap(1), Postfix lookup table manager
#
# README FILES
# Use "postconf readme_directory" or "postconf html_direc-
# tory" to locate this information.
# ADDRESS_REWRITING_README, address rewriting guide
# DATABASE_README, Postfix lookup table overview
# FILTER_README, external content filter
#
# LICENSE
# The Secure Mailer license must be distributed with this
# software.
#
# AUTHOR(S)
# Wietse Venema
# IBM T.J. Watson Research
# P.O. Box 704
# Yorktown Heights, NY 10598, USA
#
# Wietse Venema
# Google, Inc.
# 111 8th Avenue
# New York, NY 10011, USA
#
# TRANSPORT(5)

324
postfix/virtual.rpmnew
View File

@@ -1,324 +0,0 @@
# VIRTUAL(5) VIRTUAL(5)
#
# NAME
# virtual - Postfix virtual alias table format
#
# SYNOPSIS
# postmap /etc/postfix/virtual
#
# postmap -q "string" /etc/postfix/virtual
#
# postmap -q - /etc/postfix/virtual <inputfile
#
# DESCRIPTION
# The optional virtual(5) alias table rewrites recipient
# addresses for all local, all virtual, and all remote mail
# destinations. This is unlike the aliases(5) table which
# is used only for local(8) delivery. Virtual aliasing is
# recursive, and is implemented by the Postfix cleanup(8)
# daemon before mail is queued.
#
# The main applications of virtual aliasing are:
#
# o To redirect mail for one address to one or more
# addresses.
#
# o To implement virtual alias domains where all
# addresses are aliased to addresses in other
# domains.
#
# Virtual alias domains are not to be confused with
# the virtual mailbox domains that are implemented
# with the Postfix virtual(8) mail delivery agent.
# With virtual mailbox domains, each recipient
# address can have its own mailbox.
#
# Virtual aliasing is applied only to recipient envelope
# addresses, and does not affect message headers. Use
# canonical(5) mapping to rewrite header and envelope
# addresses in general.
#
# Normally, the virtual(5) alias table is specified as a
# text file that serves as input to the postmap(1) command.
# The result, an indexed file in dbm or db format, is used
# for fast searching by the mail system. Execute the command
# "postmap /etc/postfix/virtual" to rebuild an indexed file
# after changing the corresponding text file.
#
# When the table is provided via other means such as NIS,
# LDAP or SQL, the same lookups are done as for ordinary
# indexed files.
#
# Alternatively, the table can be provided as a regu-
# lar-expression map where patterns are given as regular
# expressions, or lookups can be directed to TCP-based
# server. In those case, the lookups are done in a slightly
# different way as described below under "REGULAR EXPRESSION
# TABLES" or "TCP-BASED TABLES".
#
# CASE FOLDING
# The search string is folded to lowercase before database
# lookup. As of Postfix 2.3, the search string is not case
# folded with database types such as regexp: or pcre: whose
# lookup fields can match both upper and lower case.
#
# TABLE FORMAT
# The input format for the postmap(1) command is as follows:
#
# pattern address, address, ...
# When pattern matches a mail address, replace it by
# the corresponding address.
#
# blank lines and comments
# Empty lines and whitespace-only lines are ignored,
# as are lines whose first non-whitespace character
# is a `#'.
#
# multi-line text
# A logical line starts with non-whitespace text. A
# line that starts with whitespace continues a logi-
# cal line.
#
# TABLE SEARCH ORDER
# With lookups from indexed files such as DB or DBM, or from
# networked tables such as NIS, LDAP or SQL, each
# user@domain query produces a sequence of query patterns as
# described below.
#
# Each query pattern is sent to each specified lookup table
# before trying the next query pattern, until a match is
# found.
#
# user@domain address, address, ...
# Redirect mail for user@domain to address. This
# form has the highest precedence.
#
# user address, address, ...
# Redirect mail for user@site to address when site is
# equal to $myorigin, when site is listed in $mydes-
# tination, or when it is listed in $inet_interfaces
# or $proxy_interfaces.
#
# This functionality overlaps with functionality of
# the local aliases(5) database. The difference is
# that virtual(5) mapping can be applied to non-local
# addresses.
#
# @domain address, address, ...
# Redirect mail for other users in domain to address.
# This form has the lowest precedence.
#
# Note: @domain is a wild-card. With this form, the
# Postfix SMTP server accepts mail for any recipient
# in domain, regardless of whether that recipient
# exists. This may turn your mail system into a
# backscatter source: Postfix first accepts mail for
# non-existent recipients and then tries to return
# that mail as "undeliverable" to the often forged
# sender address.
#
# To avoid backscatter with mail for a wild-card
# domain, replace the wild-card mapping with explicit
# 1:1 mappings, or add a reject_unverified_recipient
# restriction for that domain:
#
# smtpd_recipient_restrictions =
# ...
# reject_unauth_destination
# check_recipient_access
# inline:{example.com=reject_unverified_recipient}
# unverified_recipient_reject_code = 550
#
# In the above example, Postfix may contact a remote
# server if the recipient is aliased to a remote
# address.
#
# RESULT ADDRESS REWRITING
# The lookup result is subject to address rewriting:
#
# o When the result has the form @otherdomain, the
# result becomes the same user in otherdomain. This
# works only for the first address in a multi-address
# lookup result.
#
# o When "append_at_myorigin=yes", append "@$myorigin"
# to addresses without "@domain".
#
# o When "append_dot_mydomain=yes", append ".$mydomain"
# to addresses without ".domain".
#
# ADDRESS EXTENSION
# When a mail address localpart contains the optional recip-
# ient delimiter (e.g., user+foo@domain), the lookup order
# becomes: user+foo@domain, user@domain, user+foo, user, and
# @domain.
#
# The propagate_unmatched_extensions parameter controls
# whether an unmatched address extension (+foo) is propa-
# gated to the result of table lookup.
#
# VIRTUAL ALIAS DOMAINS
# Besides virtual aliases, the virtual alias table can also
# be used to implement virtual alias domains. With a virtual
# alias domain, all recipient addresses are aliased to
# addresses in other domains.
#
# Virtual alias domains are not to be confused with the vir-
# tual mailbox domains that are implemented with the Postfix
# virtual(8) mail delivery agent. With virtual mailbox
# domains, each recipient address can have its own mailbox.
#
# With a virtual alias domain, the virtual domain has its
# own user name space. Local (i.e. non-virtual) usernames
# are not visible in a virtual alias domain. In particular,
# local aliases(5) and local mailing lists are not visible
# as localname@virtual-alias.domain.
#
# Support for a virtual alias domain looks like:
#
# /etc/postfix/main.cf:
# virtual_alias_maps = hash:/etc/postfix/virtual
#
# Note: some systems use dbm databases instead of hash. See
# the output from "postconf -m" for available database
# types.
#
# /etc/postfix/virtual:
# virtual-alias.domain anything (right-hand content does not matter)
# postmaster@virtual-alias.domain postmaster
# user1@virtual-alias.domain address1
# user2@virtual-alias.domain address2, address3
#
# The virtual-alias.domain anything entry is required for a
# virtual alias domain. Without this entry, mail is rejected
# with "relay access denied", or bounces with "mail loops
# back to myself".
#
# Do not specify virtual alias domain names in the main.cf
# mydestination or relay_domains configuration parameters.
#
# With a virtual alias domain, the Postfix SMTP server
# accepts mail for known-user@virtual-alias.domain, and
# rejects mail for unknown-user@virtual-alias.domain as
# undeliverable.
#
# Instead of specifying the virtual alias domain name via
# the virtual_alias_maps table, you may also specify it via
# the main.cf virtual_alias_domains configuration parameter.
# This latter parameter uses the same syntax as the main.cf
# mydestination configuration parameter.
#
# REGULAR EXPRESSION TABLES
# This section describes how the table lookups change when
# the table is given in the form of regular expressions. For
# a description of regular expression lookup table syntax,
# see regexp_table(5) or pcre_table(5).
#
# Each pattern is a regular expression that is applied to
# the entire address being looked up. Thus, user@domain mail
# addresses are not broken up into their user and @domain
# constituent parts, nor is user+foo broken up into user and
# foo.
#
# Patterns are applied in the order as specified in the ta-
# ble, until a pattern is found that matches the search
# string.
#
# Results are the same as with indexed file lookups, with
# the additional feature that parenthesized substrings from
# the pattern can be interpolated as $1, $2 and so on.
#
# TCP-BASED TABLES
# This section describes how the table lookups change when
# lookups are directed to a TCP-based server. For a descrip-
# tion of the TCP client/server lookup protocol, see tcp_ta-
# ble(5). This feature is not available up to and including
# Postfix version 2.4.
#
# Each lookup operation uses the entire address once. Thus,
# user@domain mail addresses are not broken up into their
# user and @domain constituent parts, nor is user+foo broken
# up into user and foo.
#
# Results are the same as with indexed file lookups.
#
# BUGS
# The table format does not understand quoting conventions.
#
# CONFIGURATION PARAMETERS
# The following main.cf parameters are especially relevant
# to this topic. See the Postfix main.cf file for syntax
# details and for default values. Use the "postfix reload"
# command after a configuration change.
#
# virtual_alias_maps ($virtual_maps)
# Optional lookup tables that alias specific mail
# addresses or domains to other local or remote
# address.
#
# virtual_alias_domains ($virtual_alias_maps)
# Postfix is final destination for the specified list
# of virtual alias domains, that is, domains for
# which all addresses are aliased to addresses in
# other local or remote domains.
#
# propagate_unmatched_extensions (canonical, virtual)
# What address lookup tables copy an address exten-
# sion from the lookup key to the lookup result.
#
# Other parameters of interest:
#
# inet_interfaces (all)
# The network interface addresses that this mail sys-
# tem receives mail on.
#
# mydestination ($myhostname, localhost.$mydomain, local-
# host)
# The list of domains that are delivered via the
# $local_transport mail delivery transport.
#
# myorigin ($myhostname)
# The domain name that locally-posted mail appears to
# come from, and that locally posted mail is deliv-
# ered to.
#
# owner_request_special (yes)
# Enable special treatment for owner-listname entries
# in the aliases(5) file, and don't split owner-list-
# name and listname-request address localparts when
# the recipient_delimiter is set to "-".
#
# proxy_interfaces (empty)
# The network interface addresses that this mail sys-
# tem receives mail on by way of a proxy or network
# address translation unit.
#
# SEE ALSO
# cleanup(8), canonicalize and enqueue mail
# postmap(1), Postfix lookup table manager
# postconf(5), configuration parameters
# canonical(5), canonical address mapping
#
# README FILES
# Use "postconf readme_directory" or "postconf html_direc-
# tory" to locate this information.
# ADDRESS_REWRITING_README, address rewriting guide
# DATABASE_README, Postfix lookup table overview
# VIRTUAL_README, domain hosting guide
#
# LICENSE
# The Secure Mailer license must be distributed with this
# software.
#
# AUTHOR(S)
# Wietse Venema
# IBM T.J. Watson Research
# P.O. Box 704
# Yorktown Heights, NY 10598, USA
#
# Wietse Venema
# Google, Inc.
# 111 8th Avenue
# New York, NY 10011, USA
#
# VIRTUAL(5)

59
ppp/options.pptp.rpmnew
View File

@@ -1,59 +0,0 @@
###############################################################################
# $Id: options.pptp,v 1.3 2006/03/26 23:11:05 quozl Exp $
#
# Sample PPTP PPP options file /etc/ppp/options.pptp
# Options used by PPP when a connection is made by a PPTP client.
# This file can be referred to by an /etc/ppp/peers file for the tunnel.
# Changes are effective on the next connection. See "man pppd".
#
# You are expected to change this file to suit your system. As
# packaged, it requires PPP 2.4.2 or later from http://ppp.samba.org/
# and the kernel MPPE module available from the CVS repository also on
# http://ppp.samba.org/, which is packaged for DKMS as kernel_ppp_mppe.
###############################################################################
# Lock the port
lock
# Authentication
# We don't need the tunnel server to authenticate itself
noauth
# We won't do PAP, EAP, CHAP, or MSCHAP, but we will accept MSCHAP-V2
# (you may need to remove these refusals if the server is not using MPPE)
refuse-pap
refuse-eap
refuse-chap
refuse-mschap
# Compression
# Turn off compression protocols we know won't be used
nobsdcomp
nodeflate
# Encryption
# (There have been multiple versions of PPP with encryption support,
# choose which of the following sections you will use. Note that MPPE
# requires the use of MSCHAP-V2 during authentication)
#
# Note that using PPTP with MPPE and MSCHAP-V2 should be considered
# insecure:
# http://marc.info/?l=pptpclient-devel&m=134372640219039&w=2
# https://github.com/moxie0/chapcrack/blob/master/README.md
# http://technet.microsoft.com/en-us/security/advisory/2743314
# http://ppp.samba.org/ the PPP project version of PPP by Paul Mackarras
# ppp-2.4.2 or later with MPPE only, kernel module ppp_mppe.o
# If the kernel is booted in FIPS mode (fips=1), the ppp_mppe.ko module
# is not allowed and PPTP-MPPE is not available.
# {{{
# Require MPPE 128-bit encryption
#require-mppe-128
# }}}
# http://mppe-mppc.alphacron.de/ fork from PPP project by Jan Dubiec
# ppp-2.4.2 or later with MPPE and MPPC, kernel module ppp_mppe_mppc.o
# {{{
# Require MPPE 128-bit encryption
#mppe required,stateless
# }}}

Some files were not shown because too many files have changed in this diff Show More