diff --git a/.etckeeper b/.etckeeper index cc5bf28..a3a1e46 100755 --- a/.etckeeper +++ b/.etckeeper @@ -269,10 +269,14 @@ maybe chmod 0644 'clamd.conf.rpmnew' maybe chown 'amavis' 'clamd.conf.rpmsave' maybe chgrp 'amavis' 'clamd.conf.rpmsave' maybe chmod 0644 'clamd.conf.rpmsave' +maybe chown 'amavis' 'clamd.d' +maybe chgrp 'amavis' 'clamd.d' maybe chmod 0755 'clamd.d' maybe chown 'amavis' 'clamd.d/amavisd.conf' maybe chgrp 'amavis' 'clamd.d/amavisd.conf' maybe chmod 0644 'clamd.d/amavisd.conf' +maybe chown 'amavis' 'clamd.d/scan.conf' +maybe chgrp 'amavis' 'clamd.d/scan.conf' maybe chmod 0644 'clamd.d/scan.conf' maybe chown 'amavis' 'clamd.d/scan.conf.rpmnew' maybe chgrp 'amavis' 'clamd.d/scan.conf.rpmnew' @@ -924,7 +928,6 @@ maybe chmod 0644 'httpd/conf.d/perl.conf.rpmnew' maybe chmod 0644 'httpd/conf.d/php.conf' maybe chmod 0644 'httpd/conf.d/phpmyadmin.conf' maybe chmod 0644 'httpd/conf.d/squid.conf' -maybe chmod 0644 'httpd/conf.d/ssl.conf' maybe chmod 0644 'httpd/conf.d/ssl.conf_disabled' maybe chmod 0644 'httpd/conf.d/userdir.conf' maybe chmod 0644 'httpd/conf.d/welcome.conf' @@ -3776,6 +3779,7 @@ maybe chmod 0644 'nginx/conf.d/php-fpm.conf' maybe chown 'nginx' 'nginx/conf.d/rspamd.club3d.ro.conf' maybe chgrp 'nginx' 'nginx/conf.d/rspamd.club3d.ro.conf' maybe chmod 0644 'nginx/conf.d/rspamd.club3d.ro.conf' +maybe chmod 0640 'nginx/conf.d/savu.conf' maybe chown 'nginx' 'nginx/conf.d/storm.club3d.ro.conf' maybe chgrp 'nginx' 'nginx/conf.d/storm.club3d.ro.conf' maybe chmod 0640 'nginx/conf.d/storm.club3d.ro.conf' diff --git a/cron.d/clamav-unofficial-sigs b/cron.d/clamav-unofficial-sigs index 0bbde8a..ea6cc77 100644 --- a/cron.d/clamav-unofficial-sigs +++ b/cron.d/clamav-unofficial-sigs @@ -26,6 +26,6 @@ # 60 - 600 seconds. To Adjust the cron values, edit your configs and run # bash clamav-unofficial-sigs.sh --install-cron to generate a new file. MAILTO=root -1 0 * * * amavis [ -x /usr/local/sbin/clamav-unofficial-sigs.sh ] && /usr/bin/bash /usr/local/sbin/clamav-unofficial-sigs.sh --force && /usr/bin/bash /usr/local/sbin/clamav-unofficial-sigs.sh --update && chown amavis:amavis /etc/clamd.d/ -R && chown amavis:amavis /etc/clamd.conf && sudo systemctl restart clamd +1 0 * * * root [ -x /usr/local/sbin/clamav-unofficial-sigs.sh ] && /usr/bin/bash /usr/local/sbin/clamav-unofficial-sigs.sh --force && /usr/bin/bash /usr/local/sbin/clamav-unofficial-sigs.sh --update && chown amavis:amavis /etc/clamd.d/ -R && chown amavis:amavis /etc/clamd.conf && sudo systemctl restart clamd # https://eXtremeSHOK.com ###################################################### diff --git a/csf/changelog.txt b/csf/changelog.txt index d66dce2..ad4688a 100644 --- a/csf/changelog.txt +++ b/csf/changelog.txt @@ -1,5 +1,18 @@ ChangeLog: +14.15 - Fixed regression issue with logfile regexes + + Implemented an improved email wrapper + +14.14 - Fixed issue with using Text::Wrap + +14.13 - Added inline pid match to all system regexes to cater for logging + changes + + Use Text::Wrap to ensure email line lengths are within specifications + + Updated dovecot log regexes to support the changed format in v2.3.15+ + 14.12 - Added cPanel SaaS servers to cpanel.allow Added a fix for RHEL v8 processes that were reporting excessive null or diff --git a/csf/csf.deny b/csf/csf.deny index 7041c35..83235f1 100644 --- a/csf/csf.deny +++ b/csf/csf.deny @@ -16,38 +16,3 @@ # # See readme.txt for more information regarding advanced port filtering # -185.244.41.0/24 # lfd: (NETBLOCK) 185.244.41.0/24 (RU/Russia/-/-/-) has had more than 2 blocks in the last 86400 secs - Fri Dec 11 12:00:59 2020 -78.128.113.67 # lfd: (PERMBLOCK) 78.128.113.67 (BG/Bulgaria/-/-/ip-113-67.4vendeta.com) has had more than 2 temp blocks in the last 86400 secs - Fri Dec 18 02:27:48 2020 -212.70.149.54 # lfd: (PERMBLOCK) 212.70.149.54 (BG/Bulgaria/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Sat Dec 19 14:14:00 2020 -178.176.174.0/24 # lfd: (NETBLOCK) 178.176.174.0/24 (RU/Russia/Tatarstan Republic/Kazan’/-) has had more than 2 blocks in the last 86400 secs - Thu Dec 24 05:43:47 2020 -77.40.3.116 # lfd: (PERMBLOCK) 77.40.3.116 (RU/Russia/Mariy-El Republic/Yoshkar-Ola/116.3.dialup.mari-el.ru) has had more than 2 temp blocks in the last 86400 secs - Thu Dec 24 15:37:37 2020 -193.56.28.214 # lfd: (PERMBLOCK) 193.56.28.214 (GB/United Kingdom/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Mon Dec 28 19:32:33 2020 -78.128.113.66 # lfd: (PERMBLOCK) 78.128.113.66 (BG/Bulgaria/-/-/ip-113-66.4vendeta.com) has had more than 2 temp blocks in the last 86400 secs - Mon Jan 11 18:33:10 2021 -216.118.251.2 # lfd: (PERMBLOCK) 216.118.251.2 (HK/Hong Kong/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Fri Jan 15 18:55:23 2021 -212.70.149.85 # lfd: (PERMBLOCK) 212.70.149.85 (BG/Bulgaria/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Mon Jan 18 23:35:05 2021 -87.246.7.0/24 # lfd: (NETBLOCK) 87.246.7.0/24 (BG/Bulgaria/-/-/-) has had more than 2 blocks in the last 86400 secs - Sun Jan 24 11:52:11 2021 -141.98.80.102 # lfd: (PERMBLOCK) 141.98.80.102 (PA/Panama/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Sun Jan 24 19:36:50 2021 -186.216.69.0/24 # lfd: (NETBLOCK) 186.216.69.0/24 (BR/Brazil/Minas Gerais/Unai/-) has had more than 2 blocks in the last 86400 secs - Sun Jan 24 23:23:15 2021 -177.21.213.0/24 # lfd: (NETBLOCK) 177.21.213.0/24 (BR/Brazil/Rio Grande do Sul/Veranopolis/-) has had more than 2 blocks in the last 86400 secs - Mon Jan 25 13:29:27 2021 -177.87.68.0/24 # lfd: (NETBLOCK) 177.87.68.0/24 (BR/Brazil/Parana/Tres Barras do Parana/-) has had more than 2 blocks in the last 86400 secs - Mon Jan 25 20:14:03 2021 -91.243.45.40 # lfd: (PERMBLOCK) 91.243.45.40 (RU/Russia/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Mon Jan 25 21:37:29 2021 -177.129.206.0/24 # lfd: (NETBLOCK) 177.129.206.0/24 (BR/Brazil/Minas Gerais/Itapagipe/-) has had more than 2 blocks in the last 86400 secs - Tue Jan 26 16:24:41 2021 -77.40.3.0/24 # lfd: (NETBLOCK) 77.40.3.0/24 (RU/Russia/Mariy-El Republic/Yoshkar-Ola/-) has had more than 2 blocks in the last 86400 secs - Sat Jan 30 09:20:59 2021 -77.40.2.37 # lfd: (PERMBLOCK) 77.40.2.37 (RU/Russia/Mariy-El Republic/Yoshkar-Ola/37.2.dialup.mari-el.ru) has had more than 2 temp blocks in the last 86400 secs - Sun Jan 31 15:19:42 2021 -187.87.2.0/24 # lfd: (NETBLOCK) 187.87.2.0/24 (BR/Brazil/Rio Grande do Norte/Caico/-) has had more than 2 blocks in the last 86400 secs - Wed Feb 3 22:16:42 2021 -186.250.205.0/24 # lfd: (NETBLOCK) 186.250.205.0/24 (BR/Brazil/Sao Paulo/Guaratingueta/-) has had more than 2 blocks in the last 86400 secs - Thu Feb 4 02:23:00 2021 -45.167.8.0/24 # lfd: (NETBLOCK) 45.167.8.0/24 (BR/Brazil/-/-/-) has had more than 2 blocks in the last 86400 secs - Fri Feb 5 08:32:05 2021 -141.98.80.130 # lfd: (PERMBLOCK) 141.98.80.130 (PA/Panama/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Sun Feb 7 08:09:42 2021 -77.40.13.142 # lfd: (PERMBLOCK) 77.40.13.142 (RU/Russia/Mariy-El Republic/Yoshkar-Ola/142.13.pppoe.mari-el.ru) has had more than 2 temp blocks in the last 86400 secs - Mon Feb 8 02:34:44 2021 -77.40.2.22 # lfd: (PERMBLOCK) 77.40.2.22 (RU/Russia/Mariy-El Republic/Yoshkar-Ola/-) has had more than 2 temp blocks in the last 86400 secs - Mon Feb 8 20:13:38 2021 -77.40.40.20 # lfd: (PERMBLOCK) 77.40.40.20 (RU/Russia/Mariy-El Republic/Yoshkar-Ola/20.40.pppoe.mari-el.ru) has had more than 2 temp blocks in the last 86400 secs - Tue Feb 9 02:16:44 2021 -77.40.23.10 # lfd: (PERMBLOCK) 77.40.23.10 (RU/Russia/Mariy-El Republic/Yoshkar-Ola/10.23.pppoe.mari-el.ru) has had more than 2 temp blocks in the last 86400 secs - Wed Feb 10 12:01:31 2021 -77.247.110.130 # lfd: (PERMBLOCK) 77.247.110.130 (BZ/Belize/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Sun Feb 14 01:02:38 2021 -77.247.110.132 # lfd: (PERMBLOCK) 77.247.110.132 (BZ/Belize/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Mon Feb 15 03:26:39 2021 -77.40.80.168 # lfd: (PERMBLOCK) 77.40.80.168 (RU/Russia/Mariy-El Republic/Yoshkar-Ola/-) has had more than 2 temp blocks in the last 86400 secs - Wed Feb 17 08:24:55 2021 -5.188.206.234 # lfd: (PERMBLOCK) 5.188.206.234 (US/United States/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Thu Feb 18 11:13:03 2021 -141.98.80.133 # lfd: (PERMBLOCK) 141.98.80.133 (PA/Panama/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Sat Feb 20 09:26:44 2021 -2.57.122.32 # lfd: (PERMBLOCK) 2.57.122.32 (RO/Romania/-/-/-) has had more than 2 temp blocks in the last 86400 secs - Sun Feb 21 20:57:17 2021 -168.61.18.166 # lfd: (PERMBLOCK) 168.61.18.166 (US/United States/California/San Jose/-) has had more than 2 temp blocks in the last 86400 secs - Mon Feb 22 02:07:08 2021 -77.40.62.96 # lfd: (PERMBLOCK) 77.40.62.96 (RU/Russia/Mariy-El Republic/Yoshkar-Ola/96.62.pppoe.mari-el.ru) has had more than 2 temp blocks in the last 86400 secs - Wed Feb 24 13:05:28 2021 -77.40.2.171 # lfd: (PERMBLOCK) 77.40.2.171 (RU/Russia/Mariy-El Republic/Yoshkar-Ola/171.2.dialup.mari-el.ru) has had more than 2 temp blocks in the last 86400 secs - Thu Feb 25 15:43:13 2021 diff --git a/csf/version.txt b/csf/version.txt index 789b542..bc467a1 100644 --- a/csf/version.txt +++ b/csf/version.txt @@ -1 +1 @@ -14.12 \ No newline at end of file +14.15 \ No newline at end of file diff --git a/group b/group index 40c2f7e..b91130d 100644 --- a/group +++ b/group @@ -103,3 +103,4 @@ rundeck:x:1018: litecoin:x:1019: bogdan:x:1020: squid:x:23: +laser:x:1021: diff --git a/group- b/group- index 00443fa..40c2f7e 100644 --- a/group- +++ b/group- @@ -102,3 +102,4 @@ mailcow:x:1017: rundeck:x:1018: litecoin:x:1019: bogdan:x:1020: +squid:x:23: diff --git a/gshadow b/gshadow index 9aa2961..26a49a3 100644 --- a/gshadow +++ b/gshadow @@ -103,3 +103,4 @@ rundeck:!:: litecoin:!:: bogdan:!:: squid:!:: +laser:!:: diff --git a/gshadow- b/gshadow- index cc13286..9aa2961 100644 --- a/gshadow- +++ b/gshadow- @@ -102,3 +102,4 @@ mailcow:!:: rundeck:!:: litecoin:!:: bogdan:!:: +squid:!:: diff --git a/hosts b/hosts index eaec750..933b6c3 100644 --- a/hosts +++ b/hosts @@ -1,5 +1,8 @@ 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +134.122.29.182 consul1 + + ### 192.168.1.2 linux.vrem.ro linux 192.168.1.1 speedport.lan diff --git a/httpd/conf.d/ssl.conf b/httpd/conf.d/ssl.conf deleted file mode 100644 index d28adf3..0000000 --- a/httpd/conf.d/ssl.conf +++ /dev/null @@ -1,203 +0,0 @@ -# -# When we also provide SSL we have to listen to the -# standard HTTPS port in addition. -# -Listen 443 https - -## -## SSL Global Context -## -## All SSL configuration in this context applies both to -## the main server and all SSL-enabled virtual hosts. -## - -# Pass Phrase Dialog: -# Configure the pass phrase gathering process. -# The filtering dialog program (`builtin' is a internal -# terminal dialog) has to provide the pass phrase on stdout. -SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog - -# Inter-Process Session Cache: -# Configure the SSL Session Cache: First the mechanism -# to use and second the expiring timeout (in seconds). -SSLSessionCache shmcb:/run/httpd/sslcache(512000) -SSLSessionCacheTimeout 300 - -# -# Use "SSLCryptoDevice" to enable any supported hardware -# accelerators. Use "openssl engine -v" to list supported -# engine names. NOTE: If you enable an accelerator and the -# server does not start, consult the error logs and ensure -# your accelerator is functioning properly. -# -SSLCryptoDevice builtin -#SSLCryptoDevice ubsec - -## -## SSL Virtual Host Context -## - - - -# General setup for the virtual host, inherited from global configuration -#DocumentRoot "/var/www/html" -#ServerName www.example.com:443 - -# Use separate log files for the SSL virtual host; note that LogLevel -# is not inherited from httpd.conf. -ErrorLog logs/ssl_error_log -TransferLog logs/ssl_access_log -LogLevel warn - -# SSL Engine Switch: -# Enable/Disable SSL for this virtual host. -SSLEngine on - -# List the protocol versions which clients are allowed to connect with. -# The OpenSSL system profile is used by default. See -# update-crypto-policies(8) for more details. -#SSLProtocol all -SSLv3 -#SSLProxyProtocol all -SSLv3 - -# User agents such as web browsers are not configured for the user's -# own preference of either security or performance, therefore this -# must be the prerogative of the web server administrator who manages -# cpu load versus confidentiality, so enforce the server's cipher order. -SSLHonorCipherOrder on - -# SSL Cipher Suite: -# List the ciphers that the client is permitted to negotiate. -# See the mod_ssl documentation for a complete list. -# The OpenSSL system profile is configured by default. See -# update-crypto-policies(8) for more details. -SSLCipherSuite PROFILE=SYSTEM -SSLProxyCipherSuite PROFILE=SYSTEM - -# Point SSLCertificateFile at a PEM encoded certificate. If -# the certificate is encrypted, then you will be prompted for a -# pass phrase. Note that restarting httpd will prompt again. Keep -# in mind that if you have both an RSA and a DSA certificate you -# can configure both in parallel (to also allow the use of DSA -# ciphers, etc.) -# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt) -# require an ECC certificate which can also be configured in -# parallel. -SSLCertificateFile /etc/pki/tls/certs/localhost.crt - -# Server Private Key: -# If the key is not combined with the certificate, use this -# directive to point at the key file. Keep in mind that if -# you've both a RSA and a DSA private key you can configure -# both in parallel (to also allow the use of DSA ciphers, etc.) -# ECC keys, when in use, can also be configured in parallel -SSLCertificateKeyFile /etc/pki/tls/private/localhost.key - -# Server Certificate Chain: -# Point SSLCertificateChainFile at a file containing the -# concatenation of PEM encoded CA certificates which form the -# certificate chain for the server certificate. Alternatively -# the referenced file can be the same as SSLCertificateFile -# when the CA certificates are directly appended to the server -# certificate for convenience. -#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt - -# Certificate Authority (CA): -# Set the CA certificate verification path where to find CA -# certificates for client authentication or alternatively one -# huge file containing all of them (file must be PEM encoded) -#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt - -# Client Authentication (Type): -# Client certificate verification type and depth. Types are -# none, optional, require and optional_no_ca. Depth is a -# number which specifies how deeply to verify the certificate -# issuer chain before deciding the certificate is not valid. -#SSLVerifyClient require -#SSLVerifyDepth 10 - -# Access Control: -# With SSLRequire you can do per-directory access control based -# on arbitrary complex boolean expressions containing server -# variable checks and other lookup directives. The syntax is a -# mixture between C and Perl. See the mod_ssl documentation -# for more details. -# -#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ -# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ -# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ -# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ -# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ -# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ -# - -# SSL Engine Options: -# Set various options for the SSL engine. -# o FakeBasicAuth: -# Translate the client X.509 into a Basic Authorisation. This means that -# the standard Auth/DBMAuth methods can be used for access control. The -# user name is the `one line' version of the client's X.509 certificate. -# Note that no password is obtained from the user. Every entry in the user -# file needs this password: `xxj31ZMTZzkVA'. -# o ExportCertData: -# This exports two additional environment variables: SSL_CLIENT_CERT and -# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the -# server (always existing) and the client (only existing when client -# authentication is used). This can be used to import the certificates -# into CGI scripts. -# o StdEnvVars: -# This exports the standard SSL/TLS related `SSL_*' environment variables. -# Per default this exportation is switched off for performance reasons, -# because the extraction step is an expensive operation and is usually -# useless for serving static content. So one usually enables the -# exportation for CGI and SSI requests only. -# o StrictRequire: -# This denies access when "SSLRequireSSL" or "SSLRequire" applied even -# under a "Satisfy any" situation, i.e. when it applies access is denied -# and no other module can change it. -# o OptRenegotiate: -# This enables optimized SSL connection renegotiation handling when SSL -# directives are used in per-directory context. -#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire - - SSLOptions +StdEnvVars - - - SSLOptions +StdEnvVars - - -# SSL Protocol Adjustments: -# The safe and default but still SSL/TLS standard compliant shutdown -# approach is that mod_ssl sends the close notify alert but doesn't wait for -# the close notify alert from client. When you need a different shutdown -# approach you can use one of the following variables: -# o ssl-unclean-shutdown: -# This forces an unclean shutdown when the connection is closed, i.e. no -# SSL close notify alert is sent or allowed to be received. This violates -# the SSL/TLS standard but is needed for some brain-dead browsers. Use -# this when you receive I/O errors because of the standard approach where -# mod_ssl sends the close notify alert. -# o ssl-accurate-shutdown: -# This forces an accurate shutdown when the connection is closed, i.e. a -# SSL close notify alert is sent and mod_ssl waits for the close notify -# alert of the client. This is 100% SSL/TLS standard compliant, but in -# practice often causes hanging connections with brain-dead browsers. Use -# this only for browsers where you know that their SSL implementation -# works correctly. -# Notice: Most problems of broken clients are also related to the HTTP -# keep-alive facility, so you usually additionally want to disable -# keep-alive for those clients, too. Use variable "nokeepalive" for this. -# Similarly, one has to force some clients to use HTTP/1.0 to workaround -# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and -# "force-response-1.0" for this. -BrowserMatch "MSIE [2-5]" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 - -# Per-Server Logging: -# The home of a custom SSL log file. Use this when you want a -# compact non-error SSL logfile on a virtual host basis. -CustomLog logs/ssl_request_log \ - "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" - - - diff --git a/nginx/conf.d/savu.conf b/nginx/conf.d/savu.conf new file mode 100644 index 0000000..12aa710 --- /dev/null +++ b/nginx/conf.d/savu.conf @@ -0,0 +1,24 @@ +server { + listen 192.168.1.2:80; + server_name savudrivenschool.co.uk www.savudrivenschool.co.uk; + charset utf-8; + root /var/www/html/vhosts/club3d.ro/savu; + index index.php index.html index.htm; + + access_log /var/log/nginx/savu.access.log; + error_log /var/log/nginx/savu.error.log; + + location ~* \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + include fastcgi_params; + fastcgi_pass unix:/var/run/php-fpm.sock; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_buffer_size 16k; + fastcgi_buffers 4 16k; + } + + # gzip should not be used with SSL + gzip off; + +} diff --git a/passwd b/passwd index 7bd293e..d420377 100644 --- a/passwd +++ b/passwd @@ -74,3 +74,4 @@ rundeck:x:1017:1018::/var/lib/rundeck:/bin/bash litecoin:x:1018:1019::/opt/litecoin:/bin/bash bogdan:x:1019:1020::/home/bogdan:/bin/bash squid:x:23:23::/var/spool/squid:/sbin/nologin +laser:x:1020:1021::/home/laser:/bin/bash diff --git a/passwd- b/passwd- index 2194db2..7bd293e 100644 --- a/passwd- +++ b/passwd- @@ -72,4 +72,5 @@ cfb:x:1015:1016::/home/cfb:/bin/bash mailcow:x:1016:1017::/home/mailcow:/bin/bash rundeck:x:1017:1018::/var/lib/rundeck:/bin/bash litecoin:x:1018:1019::/opt/litecoin:/bin/bash -bogdan:x:1019:1020::/home/bogdan:/usr/bin/mysecureshell +bogdan:x:1019:1020::/home/bogdan:/bin/bash +squid:x:23:23::/var/spool/squid:/sbin/nologin diff --git a/shadow b/shadow index 90e188b..f950e17 100644 --- a/shadow +++ b/shadow @@ -74,3 +74,4 @@ rundeck:!!:18772:0:99999:7:30:: litecoin:!!:18775:0:99999:7:30:: bogdan:mCxaxi7Ck2FlI:18822:0:99999:7:30:: squid:!!:18921:::::: +laser:$6$3IDnJkLhNhDa5MUg$ysajgR6P3uElTVSBuLJbix4lHHNheJ.JBIrGFRvUPsY2/265PmO3vjgWTculxKkywvas0vcVrX3Q4QQZ/qufR.:18954:0:99999:7:30:: diff --git a/shadow- b/shadow- index 047d1c7..90e188b 100644 --- a/shadow- +++ b/shadow- @@ -73,3 +73,4 @@ mailcow:$6$7vT203MTlIc8ROf0$VxXn56jKN5.UAPyXsgvv4r2XQDaL5yjo8Tk1We6rPS1eB7fRxbmI rundeck:!!:18772:0:99999:7:30:: litecoin:!!:18775:0:99999:7:30:: bogdan:mCxaxi7Ck2FlI:18822:0:99999:7:30:: +squid:!!:18921:::::: diff --git a/ssh/sftp_config b/ssh/sftp_config index a4bd837..1b53b03 100644 --- a/ssh/sftp_config +++ b/ssh/sftp_config @@ -26,13 +26,13 @@ # MaxOpenFilesForUser 20 #limit user to open x files on same time # MaxWriteFilesForUser 10 #limit user to x upload on same time # MaxReadFilesForUser 10 #limit user to x download on same time - DefaultRights 0664 0775 #Set default rights for new file and new directory + DefaultRights 0640 0770 #Set default rights for new file and new directory # MinimumRights 0400 0700 #Set minimum rights for files and dirs # PathDenyFilter "^\." #deny upload of directory/file which match this extented POSIX regex ShowLinksAsLinks false #show links as their destinations -# ConnectionMaxLife 1d #limits connection lifetime to 1 day + ConnectionMaxLife 1d #limits connection lifetime to 1 day # Charset "ISO-8859-15" #set charset of computer # GMTTime +1 #set GMT Time (change if necessary) diff --git a/ssh/sshd_config b/ssh/sshd_config index 314ebde..8c9412b 100644 --- a/ssh/sshd_config +++ b/ssh/sshd_config @@ -109,7 +109,7 @@ PermitTunnel no ChrootDirectory none VersionAddendum Fuck_Off! -AllowUsers root vampi madalin sonykss smiti sara +AllowUsers root vampi madalin smiti sara laser Banner /etc/issue.net # Accept locale-related environment variables @@ -120,6 +120,7 @@ AcceptEnv XMODIFIERS # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server -f AUTHPRIV -l INFO +#Subsystem sftp internal-sftp ### Example of overriding settings on a per-user basis Match User root @@ -134,11 +135,11 @@ Match User vampi Match User madalin PermitTTY yes -Match User sonykss - PermitTTY yes - Match User smiti PermitTTY yes Match user sara PermitTTY yes + +Match user laser + PermitTTY yes diff --git a/subgid b/subgid index 6aa29a9..18ce69d 100644 --- a/subgid +++ b/subgid @@ -17,3 +17,4 @@ mailcow:1083040:65536 rundeck:1148576:65536 litecoin:1214112:65536 bogdan:1279648:65536 +laser:1345184:65536 diff --git a/subgid- b/subgid- index 9d889d0..6aa29a9 100644 --- a/subgid- +++ b/subgid- @@ -16,3 +16,4 @@ cfb:1017504:65536 mailcow:1083040:65536 rundeck:1148576:65536 litecoin:1214112:65536 +bogdan:1279648:65536 diff --git a/subuid b/subuid index 6aa29a9..18ce69d 100644 --- a/subuid +++ b/subuid @@ -17,3 +17,4 @@ mailcow:1083040:65536 rundeck:1148576:65536 litecoin:1214112:65536 bogdan:1279648:65536 +laser:1345184:65536 diff --git a/subuid- b/subuid- index 9d889d0..6aa29a9 100644 --- a/subuid- +++ b/subuid- @@ -16,3 +16,4 @@ cfb:1017504:65536 mailcow:1083040:65536 rundeck:1148576:65536 litecoin:1214112:65536 +bogdan:1279648:65536