diff --git a/.etckeeper b/.etckeeper index a7f7ec3..1f97b4c 100755 --- a/.etckeeper +++ b/.etckeeper @@ -5020,14 +5020,13 @@ maybe chmod 0640 'sqlgrey/sqlgrey.sql' maybe chmod 0755 'squid' maybe chgrp 'squid' 'squid/cachemgr.conf' maybe chmod 0644 'squid/cachemgr.conf' -maybe chmod 0644 'squid/cachemgr.conf.default' maybe chmod 0644 'squid/errorpage.css' -maybe chmod 0644 'squid/errorpage.css.default' maybe chmod 0644 'squid/mime.conf' -maybe chmod 0644 'squid/mime.conf.default' +maybe chgrp 'squid' 'squid/passwords' +maybe chmod 0640 'squid/passwords' maybe chgrp 'squid' 'squid/squid.conf' maybe chmod 0640 'squid/squid.conf' -maybe chmod 0644 'squid/squid.conf.default' +maybe chmod 0640 'squid/userip.conf' maybe chmod 0755 'ssh' maybe chmod 0644 'ssh/moduli' maybe chmod 0644 'ssh/sftp_config' diff --git a/csf/csf.pignore b/csf/csf.pignore index 1b9faef..7a0420e 100644 --- a/csf/csf.pignore +++ b/csf/csf.pignore @@ -167,4 +167,7 @@ exe:/var/ossec/bin/ossec-syscheckd exe:/var/ossec/bin/ossec-logcollector exe:/var/ossec/bin/wazuh-modulesd exe:/var/ossec/bin/ossec-execd +exe:/usr/sbin/squid + +user:squid diff --git a/squid/cachemgr.conf.default b/squid/cachemgr.conf.default deleted file mode 100644 index 5bdbecc..0000000 --- a/squid/cachemgr.conf.default +++ /dev/null @@ -1,21 +0,0 @@ -## Copyright (C) 1996-2021 The Squid Software Foundation and contributors -## -## Squid software is distributed under GPLv2+ license and includes -## contributions from numerous individuals and organizations. -## Please see the COPYING and CONTRIBUTORS files for details. -## - -# This file controls which servers may be managed by -# the cachemgr.cgi script -# -# The file consists of one server per line on the format -# hostname:port description -# -# Specifying :port is optional. If not specified then -# the default proxy port is assumed. :* or :any matches -# any port on the target server. -# -# hostname is matched using shell filename matching, allowing -# * and other shell wildcards. - -localhost diff --git a/squid/errorpage.css.default b/squid/errorpage.css.default deleted file mode 100644 index 38ba434..0000000 --- a/squid/errorpage.css.default +++ /dev/null @@ -1,104 +0,0 @@ -/* - * Copyright (C) 1996-2021 The Squid Software Foundation and contributors - * - * Squid software is distributed under GPLv2+ license and includes - * contributions from numerous individuals and organizations. - * Please see the COPYING and CONTRIBUTORS files for details. - */ - -/* - Stylesheet for Squid Error pages - Adapted from design by Free CSS Templates - http://www.freecsstemplates.org - Released for free under a Creative Commons Attribution 2.5 License -*/ - -/* Page basics */ -* { - font-family: verdana, sans-serif; -} - -html body { - margin: 0; - padding: 0; - background: #efefef; - font-size: 12px; - color: #1e1e1e; -} - -/* Page displayed title area */ -#titles { - margin-left: 15px; - padding: 10px; - padding-left: 100px; - background: url('/squid-internal-static/icons/SN.png') no-repeat left; -} - -/* initial title */ -#titles h1 { - color: #000000; -} -#titles h2 { - color: #000000; -} - -/* special event: FTP success page titles */ -#titles ftpsuccess { - background-color:#00ff00; - width:100%; -} - -/* Page displayed body content area */ -#content { - padding: 10px; - background: #ffffff; -} - -/* General text */ -p { -} - -/* error brief description */ -#error p { -} - -/* some data which may have caused the problem */ -#data { -} - -/* the error message received from the system or other software */ -#sysmsg { -} - -pre { -} - -/* special event: FTP / Gopher directory listing */ -#dirmsg { - font-family: courier, monospace; - color: black; - font-size: 10pt; -} -#dirlisting { - margin-left: 2%; - margin-right: 2%; -} -#dirlisting tr.entry td.icon,td.filename,td.size,td.date { - border-bottom: groove; -} -#dirlisting td.size { - width: 50px; - text-align: right; - padding-right: 5px; -} - -/* horizontal lines */ -hr { - margin: 0; -} - -/* page displayed footer area */ -#footer { - font-size: 9px; - padding-left: 10px; -} diff --git a/squid/mime.conf.default b/squid/mime.conf.default deleted file mode 100644 index e1fc509..0000000 --- a/squid/mime.conf.default +++ /dev/null @@ -1,196 +0,0 @@ -## Copyright (C) 1996-2021 The Squid Software Foundation and contributors -## -## Squid software is distributed under GPLv2+ license and includes -## contributions from numerous individuals and organizations. -## Please see the COPYING and CONTRIBUTORS files for details. -## -# -# This file associates URL patterns for servers or services -# that don't automatically include Content-Type (like ftp) with a mime type -# and a graphical icon. -# -# Content-Encodings are taken from section 3.1 of RFC2068 (HTTP/1.1) -# -# This file has the format : -# -# regexp content-type icon encoding mode actions -#-------------------------------------------------------------------------------------------------------- -\.gif$ image/gif silk/image.png - image +download -\.mime$ www/mime silk/page_white_text.png - ascii +download -^internal-dirup$ - silk/arrow_up.png - - -^internal-dir$ - silk/folder.png - - -^internal-link$ - silk/link.png - - -^internal-logo$ - SN.png - - -^internal-menu$ - silk/folder_table.png - - -^internal-text$ - silk/page_white_text.png - - -^internal-index$ - silk/folder_table.png - - -^internal-image$ - silk/image.png - - -^internal-sound$ - silk/music.png - - -^internal-movie$ - silk/film.png - - -^internal-telnet$ - silk/computer_link.png - - -^internal-binary$ - silk/application.png - - -^internal-unknown$ - silk/bullet_red.png - - -^internal-view$ - silk/page_white.png - - -^internal-download$ - silk/package_go.png - - -\.bin$ application/macbinary silk/application.png - image +download -\.oda$ application/oda silk/application.png - image +download -\.exe$ application/octet-stream silk/application.png - image +download -\.pdf$ application/pdf silk/page_white_acrobat.png - image +download -\.ai$ application/postscript silk/page_green.png - image +download +view -\.eps$ application/postscript silk/page_green.png - image +download +view -\.ps$ application/postscript silk/page_green.png - image +download +view -\.rtf$ text/rtf silk/page_white_picture.png - ascii +download +view -\.Z$ - silk/compress.png compress image +download -\.gz$ - silk/compress.png gzip image +download -\.bz2$ application/octet-stream silk/compress.png - image +download -\.bz$ application/octet-stream silk/compress.png - image +download -\.tgz$ application/x-tar silk/compress.png gzip image +download -\.csh$ application/x-csh silk/script.png - ascii +download +view -\.dvi$ application/x-dvi silk/page_white_text.png - image +download -\.hdf$ application/x-hdf silk/database.png - image +download -\.latex$ application/x-latex silk/page_white_text.png - ascii +download +view -\.lsm$ text/plain silk/page_white_text.png - ascii +download +view -\.nc$ application/x-netcdf silk/cd.png - image +download -\.cdf$ application/x-netcdf silk/cd.png - ascii +download -\.sh$ application/x-sh silk/script.png - ascii +download +view -\.tcl$ application/x-tcl silk/script.png - ascii +download +view -\.tex$ application/x-tex silk/page_white_text.png - ascii +download +view -\.texi$ application/x-texinfo silk/page_white_text.png - ascii +download +view -\.texinfo$ application/x-texinfo silk/page_white_text.png - ascii +download +view -\.t$ application/x-troff silk/page_white_text.png - ascii +download +view -\.roff$ application/x-troff silk/page_white_text.png - ascii +download +view -\.tr$ application/x-troff silk/page_white_text.png - ascii +download +view -\.man$ application/x-troff-man silk/page_white_magnify.png - ascii +download +view -\.me$ application/x-troff-me silk/page_white_text.png - ascii +download +view -\.ms$ application/x-troff-ms silk/page_white_text.png - ascii +download +view -\.src$ application/x-wais-source silk/script.png - ascii +download -\.zip$ application/zip silk/compress.png - image +download -\.bcpio$ application/x-bcpio silk/box.png - image +download -\.cpio$ application/x-cpio silk/box.png - image +download -\.gtar$ application/x-gtar silk/page_white_stack.png - image +download -\.rpm$ application/x-rpm silk/package.png - image +download -\.shar$ application/x-shar silk/script.png - image +download +view -\.sv4cpio$ application/x-sv4cpio silk/box.png - image +download -\.sv4crc$ application/x-sv4crc silk/box.png - image +download -\.tar$ application/x-tar silk/page_white_stack.png - image +download -\.ustar$ application/x-ustar silk/page_white_stack.png - image +download -\.au$ audio/basic silk/music.png - image +download -\.snd$ audio/basic silk/music.png - image +download -\.mp2$ audio/mpeg silk/music.png - image +download -\.mp3$ audio/mpeg silk/music.png - image +download -\.mpga$ audio/mpeg silk/music.png - image +download -\.aif$ audio/x-aiff silk/music.png - image +download -\.aiff$ audio/x-aiff silk/music.png - image +download -\.aifc$ audio/x-aiff silk/music.png - image +download -\.wav$ audio/x-wav silk/music.png - image +download -\.bmp$ image/bmp silk/image.png - image +download -\.ief$ image/ief silk/image.png - image +download -\.jpeg$ image/jpeg silk/photo.png - image +download -\.jpg$ image/jpeg silk/photo.png - image +download -\.jpe$ image/jpeg silk/photo.png - image +download -\.tiff$ image/tiff silk/photo.png - image +download -\.tif$ image/tiff silk/image.png - image +download -\.ras$ image/x-cmu-raster silk/image.png - image +download -\.pnm$ image/x-portable-anymap silk/image.png - image +download -\.pbm$ image/x-portable-bitmap silk/image.png - image +download -\.pgm$ image/x-portable-graymap silk/image.png - image +download -\.ppm$ image/x-portable-pixmap silk/image.png - image +download -\.rgb$ image/x-rgb silk/image.png - image +download -\.xbm$ image/x-xbitmap silk/image.png - image +download -\.xpm$ image/x-xpixmap silk/image.png - image +download -\.xwd$ image/x-xwindowdump silk/image.png - image +download -\.html$ text/html silk/page_world.png - ascii +download +view -\.htm$ text/html silk/page_world.png - ascii +download +view -\.css$ text/css silk/css.png - ascii +download +view -\.js$ application/x-javascript silk/script.png - ascii +download +view -\.c$ text/plain silk/page_white_c.png - ascii +download -\.h$ text/plain silk/page_white_c.png - ascii +download -\.cc$ text/plain silk/page_white_cplusplus.png - ascii +download -\.cpp$ text/plain silk/page_white_cplusplus.png - ascii +download -\.hh$ text/plain silk/page_white_c.png - ascii +download -\.m$ text/plain silk/script.png - ascii +download -\.f90$ text/plain silk/page_code.png - ascii +download -\.txt$ text/plain silk/page_white_text.png - ascii +download -\.asc$ text/plain silk/page_white_text.png - ascii +download -\.rtx$ text/richtext silk/page_white_picture.png - ascii +download +view -\.tsv$ text/tab-separated-values silk/script.png - ascii +download +view -\.etx$ text/x-setext silk/page_white_text.png - ascii +download +view -\.mpeg$ video/mpeg silk/film.png - image +download -\.mpg$ video/mpeg silk/film.png - image +download -\.mpe$ video/mpeg silk/film.png - image +download -\.qt$ video/quicktime silk/film.png - image +download -\.mov$ video/quicktime silk/film.png - image +download -\.avi$ video/x-msvideo silk/film.png - image +download -\.movie$ video/x-sgi-movie silk/film.png - image +download -\.cpt$ application/mac-compactpro silk/compress.png - image +download -\.hqx$ application/mac-binhex40 silk/page_white_zip.png - image +download -\.mwrt$ application/macwriteii silk/page_white_text.png - image +download -\.msw$ application/msword silk/script.png - image +download -\.doc$ application/msword silk/page_white_word.png - image +download +view -\.xls$ application/vnd.ms-excel silk/page_excel.png - image +download -\.ppt$ application/vnd.ms-powerpoint silk/page_white_powerpoint.png - image +download -\.wk[s1234]$ application/vnd.lotus-1-2-3 silk/script.png - image +download -\.mif$ application/vnd.mif silk/page_white_text.png - image +download -\.sit$ application/x-stuffit silk/compress.png - image +download -\.pict$ application/pict silk/picture.png - image +download -\.pic$ application/pict silk/picture.png - image +download -\.arj$ application/x-arj-compressed silk/compress.png - image +download -\.lzh$ application/x-lha-compressed silk/compress.png - image +download -\.lha$ application/x-lha-compressed silk/compress.png - image +download -\.zlib$ application/x-deflate silk/compress.png deflate image +download -README text/plain silk/information.png - ascii +download -^core$ application/octet-stream silk/bomb.png - image +download -\.core$ application/octet-stream silk/bomb.png - image +download -\.png$ image/png silk/image.png - image +download -\.cab$ application/octet-stream silk/compress.png - image +download +view -\.xpi$ application/x-xpinstall silk/plugin_add.png - image +download -\.class$ application/octet-stream silk/script_gear.png - image +download -\.java$ text/plain silk/cup.png - ascii +download -\.dcr$ application/x-director silk/script_palette.png - image +download -\.dir$ application/x-director silk/film.png - image +download -\.dxr$ application/x-director silk/film_key.png - image +download -\.djv$ image/vnd.djvu silk/image.png - image +download -\.djvu$ image/vnd.djvu silk/image.png - image +download -\.dll$ application/octet-stream silk/plugin.png - image +download -\.dms$ application/octet-stream silk/drive_disk.png - image +download -\.ez$ application/andrew-inset silk/bullet_red.png - image +download -\.ice$ x-conference/x-cooltalk silk/compress.png - image +download -\.iges$ model/iges silk/image.png - image +download -\.igs$ model/iges silk/image.png - image +download -\.kar$ audio/midi silk/music.png - image +download -\.mid$ audio/midi silk/music.png - image +download -\.midi$ audio/midi silk/music.png - image +download -\.mesh$ model/mesh silk/image.png - image +download -\.silo$ model/mesh silk/image.png - image +download -\.mxu$ video/vnd.mpegurl silk/film.png - image +download -\.pdb$ chemical/x-pdb silk/chart_line.png - image +download -\.pgn$ application/x-chess-pgn silk/bricks.png - image +download -\.ra$ audio/x-realaudio silk/music.png - image +download -\.ram$ audio/x-pn-realaudio silk/music.png - image +download -\.rm$ audio/x-pn-realaudio silk/music.png - image +download -\.sgml$ text/sgml silk/page_code.png - ascii +download -\.sgm$ text/sgml silk/page_code.png - ascii +download -\.skd$ application/x-koan silk/music.png - image +download -\.skm$ application/x-koan silk/music.png - image +download -\.skp$ application/x-koan silk/music.png - image +download -\.skt$ application/x-koan silk/music.png - image +download -\.smi$ application/smil silk/layers.png - image +download -\.smil$ application/smil silk/layers.png - image +download -\.so$ application/octet-stream silk/plugin.png - image +download -\.spl$ application/x-futuresplash silk/page_white_flash.png - image +download -\.swf$ application/x-shockwave-flash silk/page_white_flash.png - image +download -\.vcd$ application/x-cdlink silk/cd.png - image +download -\.vrml$ model/vrml silk/image.png - image +download -\.wbmp$ image/vnd.wap.wbmp silk/image.png - image +download -\.wbxml$ application/vnd.wap.wbxml silk/database_table.png - image +download -\.wmlc$ application/vnd.wap.wmlc silk/database_table.png - image +download -\.wmlsc$ application/vnd.wap.wmlscriptc silk/script.png - image +download -\.wmls$ application/vnd.wap.wmlscript silk/script.png - image +download -\.xht$ application/xhtml silk/page_world.png - ascii +download -\.xhtml$ application/xhtml silk/page_world.png - ascii +download -\.xml$ text/xml silk/page_world.png - ascii +download -\.xsl$ text/xml silk/layout.png - ascii +download -\.xyz$ chemical/x-xyz silk/chart_line.png - image +download -# -# the default -. text/plain silk/bullet_red.png - image +download +view diff --git a/squid/passwords b/squid/passwords new file mode 100644 index 0000000..30e1c33 --- /dev/null +++ b/squid/passwords @@ -0,0 +1 @@ +bogdan:$apr1$/N5qOCXI$I5zi9yiw0hpH21CBE/lHk0 diff --git a/squid/squid.conf b/squid/squid.conf index 8d52410..99eee66 100644 --- a/squid/squid.conf +++ b/squid/squid.conf @@ -1,19 +1,8 @@ -# -# Recommended minimum configuration: -# - -# Example rule allowing access from your local networks. -# Adapt to list your (internal) IP networks from where browsing -# should be allowed -acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) -acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) -acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) -acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines -acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) -acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) -acl localnet src fc00::/7 # RFC 4193 local private network range -acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines - +acl localnet src 10.0.0.0/8 # RFC1918 possible internal network +acl localnet src 172.16.0.0/12 # RFC1918 possible internal network +acl localnet src 192.168.0.0/16 # RFC1918 possible internal network +acl localnet src fc00::/7 # RFC 4193 local private network range +acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp @@ -27,50 +16,22 @@ acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT -# -# Recommended minimum Access Permission configuration: -# -# Deny requests to certain unsafe ports http_access deny !Safe_ports - -# Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports - -# Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager - -# We strongly recommend the following be uncommented to protect innocent -# web applications running on the proxy server who think the only -# one who can access services on "localhost" is a local user -#http_access deny to_localhost - -# -# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS -# - -# Example rule allowing access from your local networks. -# Adapt localnet in the ACL section to list your (internal) IP networks -# from where browsing should be allowed http_access allow localnet http_access allow localhost -# And finally deny all other access to this proxy -http_access deny all - -# Squid normally listens to port 3128 http_port 3128 -# Uncomment and adjust the following to add a disk cache directory. -#cache_dir ufs /var/spool/squid 100 16 256 +auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd +auth_param basic children 5 +auth_param basic realm Squid Basic Authentication +auth_param basic credentialsttl 2 hours -# Leave coredumps in the first cache dir -coredump_dir /var/spool/squid +acl auth_users proxy_auth REQUIRED +http_access allow auth_users + +http_access deny all -# -# Add any of your own refresh_pattern entries above these. -# -refresh_pattern ^ftp: 1440 20% 10080 -refresh_pattern ^gopher: 1440 0% 1440 -refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 -refresh_pattern . 0 20% 4320 diff --git a/squid/squid.conf.default b/squid/squid.conf.default deleted file mode 100644 index 8d52410..0000000 --- a/squid/squid.conf.default +++ /dev/null @@ -1,76 +0,0 @@ -# -# Recommended minimum configuration: -# - -# Example rule allowing access from your local networks. -# Adapt to list your (internal) IP networks from where browsing -# should be allowed -acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) -acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) -acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) -acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines -acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) -acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) -acl localnet src fc00::/7 # RFC 4193 local private network range -acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines - -acl SSL_ports port 443 -acl Safe_ports port 80 # http -acl Safe_ports port 21 # ftp -acl Safe_ports port 443 # https -acl Safe_ports port 70 # gopher -acl Safe_ports port 210 # wais -acl Safe_ports port 1025-65535 # unregistered ports -acl Safe_ports port 280 # http-mgmt -acl Safe_ports port 488 # gss-http -acl Safe_ports port 591 # filemaker -acl Safe_ports port 777 # multiling http -acl CONNECT method CONNECT - -# -# Recommended minimum Access Permission configuration: -# -# Deny requests to certain unsafe ports -http_access deny !Safe_ports - -# Deny CONNECT to other than secure SSL ports -http_access deny CONNECT !SSL_ports - -# Only allow cachemgr access from localhost -http_access allow localhost manager -http_access deny manager - -# We strongly recommend the following be uncommented to protect innocent -# web applications running on the proxy server who think the only -# one who can access services on "localhost" is a local user -#http_access deny to_localhost - -# -# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS -# - -# Example rule allowing access from your local networks. -# Adapt localnet in the ACL section to list your (internal) IP networks -# from where browsing should be allowed -http_access allow localnet -http_access allow localhost - -# And finally deny all other access to this proxy -http_access deny all - -# Squid normally listens to port 3128 -http_port 3128 - -# Uncomment and adjust the following to add a disk cache directory. -#cache_dir ufs /var/spool/squid 100 16 256 - -# Leave coredumps in the first cache dir -coredump_dir /var/spool/squid - -# -# Add any of your own refresh_pattern entries above these. -# -refresh_pattern ^ftp: 1440 20% 10080 -refresh_pattern ^gopher: 1440 0% 1440 -refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 -refresh_pattern . 0 20% 4320 diff --git a/squid/userip.conf b/squid/userip.conf new file mode 100644 index 0000000..03b3254 --- /dev/null +++ b/squid/userip.conf @@ -0,0 +1 @@ +192.168.1.3 bogdan