diff --git a/.etckeeper b/.etckeeper index ae687df..d541162 100755 --- a/.etckeeper +++ b/.etckeeper @@ -370,11 +370,11 @@ maybe chmod 0600 'csf/csf.blocklists.new' maybe chmod 0600 'csf/csf.cloudflare' maybe chmod 0600 'csf/csf.conf' maybe chmod 0600 'csf/csf.conf.i360bak' -maybe chmod 0600 'csf/csf.deny' +maybe chmod 0640 'csf/csf.deny' maybe chmod 0600 'csf/csf.dirwatch' maybe chmod 0600 'csf/csf.dyndns' maybe chmod 0600 'csf/csf.fignore' -maybe chmod 0600 'csf/csf.ignore' +maybe chmod 0640 'csf/csf.ignore' maybe chmod 0600 'csf/csf.logfiles' maybe chmod 0600 'csf/csf.logignore' maybe chmod 0600 'csf/csf.mignore' @@ -973,7 +973,7 @@ maybe chmod 0600 'gssproxy/99-nfs-client.conf' maybe chmod 0600 'gssproxy/gssproxy.conf' maybe chmod 0644 'host.conf' maybe chmod 0644 'hostname' -maybe chmod 0644 'hosts' +maybe chmod 0640 'hosts' maybe chgrp 'ossec' 'hosts.deny' maybe chmod 0644 'hosts.deny' maybe chmod 0644 'hosts.sbak' @@ -991,8 +991,7 @@ maybe chmod 0644 'httpd/conf.d/perl.conf.rpmnew' maybe chmod 0644 'httpd/conf.d/php.conf' maybe chmod 0644 'httpd/conf.d/phpmyadmin.conf' maybe chmod 0644 'httpd/conf.d/squid.conf' -maybe chmod 0644 'httpd/conf.d/ssl.conf' -maybe chmod 0644 'httpd/conf.d/ssl.conf_disabled' +maybe chmod 0640 'httpd/conf.d/ssl.conf_disabled' maybe chmod 0644 'httpd/conf.d/userdir.conf' maybe chmod 0644 'httpd/conf.d/welcome.conf' maybe chmod 0644 'httpd/conf.d/welcome.conf.rpmnew' @@ -4187,9 +4186,6 @@ maybe chmod 0640 'nginx/conf.d/default.conf.rpmnew' maybe chown 'nginx' 'nginx/conf.d/files.898.ro.conf' maybe chgrp 'nginx' 'nginx/conf.d/files.898.ro.conf' maybe chmod 0640 'nginx/conf.d/files.898.ro.conf' -maybe chown 'nginx' 'nginx/conf.d/files.898.ro.conf_' -maybe chgrp 'nginx' 'nginx/conf.d/files.898.ro.conf_' -maybe chmod 0640 'nginx/conf.d/files.898.ro.conf_' maybe chown 'nginx' 'nginx/conf.d/fl.898.ro.conf' maybe chgrp 'nginx' 'nginx/conf.d/fl.898.ro.conf' maybe chmod 0640 'nginx/conf.d/fl.898.ro.conf' @@ -4619,9 +4615,6 @@ maybe chmod 0640 'nginx/conf.d/madalin.anywhere.ro.conf' maybe chown 'nginx' 'nginx/conf.d/mail.898.ro.conf' maybe chgrp 'nginx' 'nginx/conf.d/mail.898.ro.conf' maybe chmod 0640 'nginx/conf.d/mail.898.ro.conf' -maybe chown 'nginx' 'nginx/conf.d/mail.898.ro.conf_' -maybe chgrp 'nginx' 'nginx/conf.d/mail.898.ro.conf_' -maybe chmod 0640 'nginx/conf.d/mail.898.ro.conf_' maybe chown 'nginx' 'nginx/conf.d/mail.anywhere.ro.conf' maybe chgrp 'nginx' 'nginx/conf.d/mail.anywhere.ro.conf' maybe chmod 0640 'nginx/conf.d/mail.anywhere.ro.conf' @@ -4637,7 +4630,9 @@ maybe chmod 0640 'nginx/conf.d/mtr.898.ro.conf' maybe chown 'nginx' 'nginx/conf.d/padmin.club3d.ro.conf' maybe chgrp 'nginx' 'nginx/conf.d/padmin.club3d.ro.conf' maybe chmod 0640 'nginx/conf.d/padmin.club3d.ro.conf' -maybe chmod 0644 'nginx/conf.d/php-fpm.conf' +maybe chown 'nginx' 'nginx/conf.d/php-fpm.conf' +maybe chgrp 'nginx' 'nginx/conf.d/php-fpm.conf' +maybe chmod 0640 'nginx/conf.d/php-fpm.conf' maybe chown 'nginx' 'nginx/conf.d/rspamd.club3d.ro.conf' maybe chgrp 'nginx' 'nginx/conf.d/rspamd.club3d.ro.conf' maybe chmod 0640 'nginx/conf.d/rspamd.club3d.ro.conf' @@ -4656,9 +4651,6 @@ maybe chmod 0640 'nginx/conf.d/support.898.ro.conf' maybe chown 'nginx' 'nginx/conf.d/trace.898.ro.conf' maybe chgrp 'nginx' 'nginx/conf.d/trace.898.ro.conf' maybe chmod 0640 'nginx/conf.d/trace.898.ro.conf' -maybe chown 'nginx' 'nginx/conf.d/trace.898.ro.ssl.conf_' -maybe chgrp 'nginx' 'nginx/conf.d/trace.898.ro.ssl.conf_' -maybe chmod 0640 'nginx/conf.d/trace.898.ro.ssl.conf_' maybe chown 'nginx' 'nginx/conf.d/trtlexplorer.gocrypto.conf' maybe chgrp 'nginx' 'nginx/conf.d/trtlexplorer.gocrypto.conf' maybe chmod 0640 'nginx/conf.d/trtlexplorer.gocrypto.conf' diff --git a/csf/csf.ignore b/csf/csf.ignore index aa97bdf..a6d74be 100644 --- a/csf/csf.ignore +++ b/csf/csf.ignore @@ -29,8 +29,7 @@ 46.97.176.82 # RDS -188.26.227.57 -86.127.8.66 +188.26.226.4 # RND 82.76.35.226 @@ -51,3 +50,4 @@ 188.25.147.94 188.26.229.84 188.25.216.85 +188.25.145.26 diff --git a/hosts b/hosts index b6b8492..1dea586 100644 --- a/hosts +++ b/hosts @@ -22,6 +22,9 @@ 198.199.68.81 terminal.spiffy.tv terminal 167.172.104.133 haproxy.lan haproxy +# Learnworks +159.223.228.222 learnworks + # other 67.227.87.208 elasticity.coinmarketalert.com 161.35.123.47 login.back-proxy.com @@ -44,13 +47,9 @@ 10.208.1.11 srv1.lan srv1 10.208.1.254 esw1.lan esw1 10.208.0.1 er1.lan er1 -# 10.208.1.69 efa.898.ro efa 10.208.1.111 gitlab.898.ro -# DigitalOcean -159.89.30.41 icinga.898.ro - # Itratos 49.12.121.13 s1.ondua.de # proxmox 49.12.121.27 vs1.ondua.de @@ -63,18 +62,12 @@ 188.214.17.248 cacti.898.ro cacti 188.215.64.126 bogdan.gazduire.ro bogdan -185.47.62.100 hera.escorte.pro hera -52.58.85.244 panda.898.ro panda larisa-aws 89.45.198.101 BB-GW02.ad.bytebees.ro -91.208.142.210 bunescu.ro bunescu # Maxime K 62.138.3.68 astra 188.138.89.35 xray -# Peter Laurent -43.229.62.216 alpha - # Imperial Hip Hop 192.99.8.138 hip-old 192.99.44.187 hip-new @@ -82,66 +75,6 @@ # SolaDrive 198.12.87.151 bogdan-sola -192.3.136.2 server1.desibees.com - -98.143.145.137 pg-master-sola -192.227.213.123 pg-slave-sola - - -### GAZDUIRE WEB ### - -# SG-uri -188.214.17.20 sg1.gazduire.ro sg1 -188.214.17.22 sg2.gazduire.ro sg2 -188.214.17.24 sg3.gazduire.ro sg3 -188.214.17.26 sg4.gazduire.ro sg4 -188.214.17.28 sg5.gazduire.ro sg5 -188.214.17.30 sg6.gazduire.ro sg6 -188.214.17.200 sg7.gazduire.ro sg7 -188.214.17.34 sg8.gazduire.ro sg8 -188.214.17.36 sg9.gazduire.ro sg9 -188.214.17.38 sg10.gazduire.ro sg10 -188.214.17.40 sg11.gazduire.ro sg11 -188.214.17.162 sg12.gazduire.ro sg12 -188.214.17.44 sg13.gazduire.ro sg13 - -# VG-uri -188.214.21.2 vg1.gazduire.ro vg1 -188.214.21.4 vg2.gazduire.ro vg2 -188.214.21.6 vg3.gazduire.ro vg3 -188.214.21.8 vg4.gazduire.ro vg4 -188.214.21.10 vg5.gazduire.ro vg5 -188.214.21.12 vg6.gazduire.ro vg6 -188.214.21.14 vg7.gazduire.ro vg7 -188.214.21.16 vg8.gazduire.ro vg8 -188.214.21.18 vg9.gazduire.ro vg9 -188.214.21.201 vg10.gazduire.ro vg10 -188.214.21.17 vg11.gazduire.ro vg11 -188.215.64.164 vg12.gazduire.ro vg12 -188.214.18.2 vg13.gazduire.ro vg13 - -# RG-uri -188.215.64.10 rg1.gazduire.ro rg1 -188.215.64.12 rg2.gazduire.ro rg2 -188.215.64.14 rg3.gazduire.ro rg3 -188.215.64.16 rg4.gazduire.ro rg4 -188.215.64.18 rg5.gazduire.ro rg5 - -# DB-uri -188.214.17.23 db1.gazduire.ro db1 -188.214.17.25 db2.gazduire.ro db2 -188.214.17.27 db3.gazduire.ro db3 -188.214.17.29 db4.gazduire.ro db4 -188.214.17.8 db5.gazduire.ro db5 -188.214.21.3 dbv1.gazduire.ro dbv1 -188.214.21.5 dbv2.gazduire.ro dbv2 -188.214.21.7 dbv3.gazduire.ro dbv3 -188.214.21.9 dbv4.gazduire.ro dbv4 -188.214.21.200 dbv5.gazduire.ro dbv5 -188.215.64.11 dbr1.gazduire.ro dbr1 -188.215.64.13 dbr2.gazduire.ro dbr2 -188.215.64.15 dbr3.gazduire.ro dbr3 - # SolaDrive 208.85.0.131 sola-cacti 208.85.0.133 sola-whmcs diff --git a/httpd/conf.d/ssl.conf b/httpd/conf.d/ssl.conf deleted file mode 100644 index d28adf3..0000000 --- a/httpd/conf.d/ssl.conf +++ /dev/null @@ -1,203 +0,0 @@ -# -# When we also provide SSL we have to listen to the -# standard HTTPS port in addition. -# -Listen 443 https - -## -## SSL Global Context -## -## All SSL configuration in this context applies both to -## the main server and all SSL-enabled virtual hosts. -## - -# Pass Phrase Dialog: -# Configure the pass phrase gathering process. -# The filtering dialog program (`builtin' is a internal -# terminal dialog) has to provide the pass phrase on stdout. -SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog - -# Inter-Process Session Cache: -# Configure the SSL Session Cache: First the mechanism -# to use and second the expiring timeout (in seconds). -SSLSessionCache shmcb:/run/httpd/sslcache(512000) -SSLSessionCacheTimeout 300 - -# -# Use "SSLCryptoDevice" to enable any supported hardware -# accelerators. Use "openssl engine -v" to list supported -# engine names. NOTE: If you enable an accelerator and the -# server does not start, consult the error logs and ensure -# your accelerator is functioning properly. -# -SSLCryptoDevice builtin -#SSLCryptoDevice ubsec - -## -## SSL Virtual Host Context -## - - - -# General setup for the virtual host, inherited from global configuration -#DocumentRoot "/var/www/html" -#ServerName www.example.com:443 - -# Use separate log files for the SSL virtual host; note that LogLevel -# is not inherited from httpd.conf. -ErrorLog logs/ssl_error_log -TransferLog logs/ssl_access_log -LogLevel warn - -# SSL Engine Switch: -# Enable/Disable SSL for this virtual host. -SSLEngine on - -# List the protocol versions which clients are allowed to connect with. -# The OpenSSL system profile is used by default. See -# update-crypto-policies(8) for more details. -#SSLProtocol all -SSLv3 -#SSLProxyProtocol all -SSLv3 - -# User agents such as web browsers are not configured for the user's -# own preference of either security or performance, therefore this -# must be the prerogative of the web server administrator who manages -# cpu load versus confidentiality, so enforce the server's cipher order. -SSLHonorCipherOrder on - -# SSL Cipher Suite: -# List the ciphers that the client is permitted to negotiate. -# See the mod_ssl documentation for a complete list. -# The OpenSSL system profile is configured by default. See -# update-crypto-policies(8) for more details. -SSLCipherSuite PROFILE=SYSTEM -SSLProxyCipherSuite PROFILE=SYSTEM - -# Point SSLCertificateFile at a PEM encoded certificate. If -# the certificate is encrypted, then you will be prompted for a -# pass phrase. Note that restarting httpd will prompt again. Keep -# in mind that if you have both an RSA and a DSA certificate you -# can configure both in parallel (to also allow the use of DSA -# ciphers, etc.) -# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt) -# require an ECC certificate which can also be configured in -# parallel. -SSLCertificateFile /etc/pki/tls/certs/localhost.crt - -# Server Private Key: -# If the key is not combined with the certificate, use this -# directive to point at the key file. Keep in mind that if -# you've both a RSA and a DSA private key you can configure -# both in parallel (to also allow the use of DSA ciphers, etc.) -# ECC keys, when in use, can also be configured in parallel -SSLCertificateKeyFile /etc/pki/tls/private/localhost.key - -# Server Certificate Chain: -# Point SSLCertificateChainFile at a file containing the -# concatenation of PEM encoded CA certificates which form the -# certificate chain for the server certificate. Alternatively -# the referenced file can be the same as SSLCertificateFile -# when the CA certificates are directly appended to the server -# certificate for convenience. -#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt - -# Certificate Authority (CA): -# Set the CA certificate verification path where to find CA -# certificates for client authentication or alternatively one -# huge file containing all of them (file must be PEM encoded) -#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt - -# Client Authentication (Type): -# Client certificate verification type and depth. Types are -# none, optional, require and optional_no_ca. Depth is a -# number which specifies how deeply to verify the certificate -# issuer chain before deciding the certificate is not valid. -#SSLVerifyClient require -#SSLVerifyDepth 10 - -# Access Control: -# With SSLRequire you can do per-directory access control based -# on arbitrary complex boolean expressions containing server -# variable checks and other lookup directives. The syntax is a -# mixture between C and Perl. See the mod_ssl documentation -# for more details. -# -#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ -# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ -# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ -# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ -# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ -# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ -# - -# SSL Engine Options: -# Set various options for the SSL engine. -# o FakeBasicAuth: -# Translate the client X.509 into a Basic Authorisation. This means that -# the standard Auth/DBMAuth methods can be used for access control. The -# user name is the `one line' version of the client's X.509 certificate. -# Note that no password is obtained from the user. Every entry in the user -# file needs this password: `xxj31ZMTZzkVA'. -# o ExportCertData: -# This exports two additional environment variables: SSL_CLIENT_CERT and -# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the -# server (always existing) and the client (only existing when client -# authentication is used). This can be used to import the certificates -# into CGI scripts. -# o StdEnvVars: -# This exports the standard SSL/TLS related `SSL_*' environment variables. -# Per default this exportation is switched off for performance reasons, -# because the extraction step is an expensive operation and is usually -# useless for serving static content. So one usually enables the -# exportation for CGI and SSI requests only. -# o StrictRequire: -# This denies access when "SSLRequireSSL" or "SSLRequire" applied even -# under a "Satisfy any" situation, i.e. when it applies access is denied -# and no other module can change it. -# o OptRenegotiate: -# This enables optimized SSL connection renegotiation handling when SSL -# directives are used in per-directory context. -#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire - - SSLOptions +StdEnvVars - - - SSLOptions +StdEnvVars - - -# SSL Protocol Adjustments: -# The safe and default but still SSL/TLS standard compliant shutdown -# approach is that mod_ssl sends the close notify alert but doesn't wait for -# the close notify alert from client. When you need a different shutdown -# approach you can use one of the following variables: -# o ssl-unclean-shutdown: -# This forces an unclean shutdown when the connection is closed, i.e. no -# SSL close notify alert is sent or allowed to be received. This violates -# the SSL/TLS standard but is needed for some brain-dead browsers. Use -# this when you receive I/O errors because of the standard approach where -# mod_ssl sends the close notify alert. -# o ssl-accurate-shutdown: -# This forces an accurate shutdown when the connection is closed, i.e. a -# SSL close notify alert is sent and mod_ssl waits for the close notify -# alert of the client. This is 100% SSL/TLS standard compliant, but in -# practice often causes hanging connections with brain-dead browsers. Use -# this only for browsers where you know that their SSL implementation -# works correctly. -# Notice: Most problems of broken clients are also related to the HTTP -# keep-alive facility, so you usually additionally want to disable -# keep-alive for those clients, too. Use variable "nokeepalive" for this. -# Similarly, one has to force some clients to use HTTP/1.0 to workaround -# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and -# "force-response-1.0" for this. -BrowserMatch "MSIE [2-5]" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 - -# Per-Server Logging: -# The home of a custom SSL log file. Use this when you want a -# compact non-error SSL logfile on a virtual host basis. -CustomLog logs/ssl_request_log \ - "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" - - - diff --git a/nginx/conf.d/files.898.ro.conf_ b/nginx/conf.d/files.898.ro.conf_ deleted file mode 100644 index 8789167..0000000 --- a/nginx/conf.d/files.898.ro.conf_ +++ /dev/null @@ -1,34 +0,0 @@ -server { - listen 192.168.1.2:80; - server_name files.898.ro; - charset utf-8; - root /var/www/html/afiles; - index index.php index.html index.htm; - - access_log /var/log/nginx/files.898.ro.access.log; - error_log /var/log/nginx/files.898.ro.error.log; - - location ~* \.php$ { - fastcgi_split_path_info ^(.+\.php)(/.+)$; - include fastcgi_params; - fastcgi_pass unix:/var/run/php-fpm.sock; - fastcgi_index index.php; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_buffer_size 16k; - fastcgi_buffers 4 16k; - } - - # gzip should not be used with SSL - gzip off; - - listen 192.168.1.2:443 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/files.898.ro/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/files.898.ro/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - - ### redirect - if ($scheme != "https") { - return 301 https://$host$request_uri; - } # managed by Certbot - -} diff --git a/nginx/conf.d/mail.898.ro.conf_ b/nginx/conf.d/mail.898.ro.conf_ deleted file mode 100644 index a177dbb..0000000 --- a/nginx/conf.d/mail.898.ro.conf_ +++ /dev/null @@ -1,44 +0,0 @@ -server { - listen 192.168.1.2:80; - server_name mail.898.ro; - charset utf-8; - root /var/www/html/roundcubemail; - index index.php; - - client_max_body_size 128M; - - access_log /var/log/nginx/mail.898.ro.access.log; - error_log /var/log/nginx/mail.898.ro.error.log; - - location / { - try_files $uri $uri/ /index.php?q=$uri&$args; - } - - location ~* \.php$ { - fastcgi_split_path_info ^(.+\.php)(/.+)$; - include fastcgi_params; - fastcgi_pass unix:/var/run/php-fpm.sock; - fastcgi_index index.php; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_buffer_size 16k; - fastcgi_buffers 4 16k; - } - - location ^~ /data { - deny all; - } - - # gzip should not be used with SSL - gzip off; - - listen 192.168.1.2:443 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/mail.898.ro/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/mail.898.ro/privkey.pem; - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - - ### redirect - if ($scheme != "https") { - return 301 https://$host$request_uri; - } # managed by Certbot - -} diff --git a/nginx/conf.d/trace.898.ro.ssl.conf_ b/nginx/conf.d/trace.898.ro.ssl.conf_ deleted file mode 100644 index c3b3118..0000000 --- a/nginx/conf.d/trace.898.ro.ssl.conf_ +++ /dev/null @@ -1,40 +0,0 @@ -server { - server_name trace.898.ro; - charset utf-8; - - root /var/www/html/vhosts/club3d.ro/mtr; - index index.html index.php; - - access_log /var/log/nginx/trace.898.ro.access.log; - error_log /var/log/nginx/trace.898.ro.error.log; - - location ~* \.php$ { - fastcgi_split_path_info ^(.+\.php)(/.+)$; - include fastcgi_params; - fastcgi_pass unix:/var/run/php-fpm.sock; - fastcgi_index index.php; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_max_temp_file_size 0; - fastcgi_buffer_size 4K; - fastcgi_buffers 64 4k; - } - - listen 192.168.1.2:443 ssl http2; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/trace.898.ro/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/trace.898.ro/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - -} - -server { - if ($host = trace.898.ro) { - return 301 https://$host$request_uri; - } # managed by Certbot - - listen 192.168.1.2:80; - server_name trace.898.ro; - return 404; # managed by Certbot - -} -