today

mail/Horde.md

@@ -13,6 +13,8 @@ chmod +x /home/horde/website/pear.sh
 /home/horde/website/pear.sh install -B horde/horde
 # Open TNEF
 /home/horde/website/pear.sh install -B horde/Horde_Mapi
+# URL generation
+/home/horde/website/pear.sh install -B horde/Horde_Routes
 # Create database tables
 PHP_PEAR_SYSCONF_DIR=/home/horde/website php -d "include_path=.:/home/horde/website/pear/php" \
     /home/horde/website/pear/horde-db-migrate

mail/README.md

@@ -130,6 +130,10 @@ sudo -u daemon -- spamassassin --test-mode -D dkim < msg-signed.eml
 opendkim -vvv -t msg-signed.eml
 ```
 
+### Mailserver SSL test
+
+https://ssl-tools.net/
+
 #### Sender ID (From:)
 
 - http://en.wikipedia.org/wiki/Sender_ID

mail/spammer.dnsbl/dangerous.dnsbl.zone

@@ -60,15 +60,6 @@ $TTL 60
 
 # ---------------------------------------
 
-# Tor
-:127.0.0.2:Tor exit node
-
-79.172.193.32   Tor@Deninet/AS29278
-185.17.184.228  Tor@LeaseWeb/AS60781
-77.247.181.163  Tor@NForce/AS43350
-
-# ---------------------------------------
-
 # Blocked
 :127.0.0.128:Blocked network
 
@@ -99,6 +90,7 @@ $TTL 60
 89.248.172.0/23 FR_Ecatel@Ecatel/AS29073
 89.248.174.0/24 FR_Ecatel@Ecatel/AS29073
 93.174.88.0/21  FR_Ecatel@Ecatel/AS29073
+94.102.48.0/20  FR_Ecatel@Ecatel/AS29073
 
 # AS35804 - PP SKS-LUGAN
 91.200.12.0/22  UA_SKS-LUGAN@PP SKS-LUGAN/AS35804

monitoring/apache-4xx-report.sh

@@ -2,8 +2,8 @@
 #
 # Report Apache client and server errors of the last 24 hours.
 #
-# VERSION       :1.2.0
-# DATE          :2015-07-17
+# VERSION       :1.2.1
+# DATE          :2015-11-08
 # AUTHOR        :Viktor Szépe <viktor@szepe.net>
 # URL           :https://github.com/szepeviktor/debian-server-tools
 # LICENSE       :The MIT License (MIT)
@@ -59,6 +59,9 @@ fi
 # APACHE_LOG_DIR is defined here
 source /etc/apache2/envvars
 
+# For non-existent previous log file
+shopt -s nullglob
+
 while read CONFIG_FILE; do
     ACCESS_LOG="$(sed -n '/^\s*CustomLog\s\+\(\S\+\)\s\+\S\+.*$/I{s//\1/p;q;}' "$CONFIG_FILE")"
     SITE_USER="$(sed -n '/^\s*Define\s\+SITE_USER\s\+\(\S\+\).*$/I{s//\1/p;q;}' "$CONFIG_FILE")"
@@ -69,8 +72,10 @@ while read CONFIG_FILE; do
 
     # Log lines for 1 day from cron.daily
     ionice -c 3 /usr/local/bin/dategrep --format apache --multiline \
-        --from "1 day ago at 06:25:00" --to "06:25:00" "${ACCESS_LOG}.1" "$ACCESS_LOG" \
+        --from "1 day ago at 06:25:00" --to "06:25:00" "$ACCESS_LOG".[1] "$ACCESS_LOG" \
         | Filter_client_server_error \
-        | sed "s;^;$(basename "$ACCESS_LOG" .log): ;g"
+        | sed "s;^;$(basename "$ACCESS_LOG" .log): ;"
 
 done <<< "$APACHE_CONFIGS" | Maybe_sendmail
+
+exit 0

monitoring/cron-grandchild.sh

@@ -2,8 +2,8 @@
 #
 # Report cron "grandchild failed" details.
 #
-# VERSION       :0.1.2
-# DATE          :2015-11-03
+# VERSION       :0.1.3
+# DATE          :2015-11-08
 # AUTHOR        :Viktor Szépe <viktor@szepe.net>
 # LICENSE       :The MIT License (MIT)
 # URL           :https://github.com/szepeviktor/debian-server-tools
@@ -24,16 +24,19 @@ Grandchild_pid() {
     sed -n "s/^\S\+ \+[0-9]\+ [0-9:]\+ \S\+ \(\/USR\/SBIN\/\)\?CRON\[[0-9]\+\]: (CRON) error (grandchild #\([0-9]\+\) failed with exit status [0-9]\+)$/\1/p"
 }
 
+# For non-existent syslog.1
+shopt -s nullglob
+
 # Every hour 17 minutes as in Debian cron.hourly, local time (non-UTC)
 /usr/local/bin/dategrep --format rsyslog --multiline \
-    --from "1 hour ago from -17:00" --to "-17:00" /var/log/syslog.1 /var/log/syslog \
+    --from "1 hour ago from -17:00" --to "-17:00" /var/log/syslog.[1] /var/log/syslog \
     | grep -F -v "/usr/local/sbin/syslog-errors.sh" \
     | Grandchild_pid \
     | while read GC_PID; do
         # Search for the log line with some context
         # Add marks around it
-        grep -C3 "^\S\+ \+[0-9]\+ [0-9:]\+ \S\+ \(/USR/SBIN/\)\?CRON\[${GC_PID}\]: (\S\+) CMD (.\+)$" \
-            /var/log/syslog.1 /var/log/syslog \
+        grep -C 3 "^\S\+ \+[0-9]\+ [0-9:]\+ \S\+ \(/USR/SBIN/\)\?CRON\[${GC_PID}\]: (\S\+) CMD (.\+)$" \
+            /var/log/syslog.[1] /var/log/syslog \
             | sed "s;^\(\S\+ \+[0-9]\+ [0-9:]\+ \S\+ \(/USR/SBIN/\)\?CRON\[${GC_PID}\]: (\S\+) CMD (.\+)\)$;----\n\1\n----;"
     done
 

monitoring/robots-unknown.sh

@@ -1,18 +1,26 @@
 #!/bin/bash
 #
-# Report traffic from unknown robots.
+# Report traffic from unknown robots
 #
+# VERSION       :0.1.1
+# DATE          :2015-11-08
+# AUTHOR        :Viktor Szépe <viktor@szepe.net>
+# URL           :https://github.com/szepeviktor/debian-server-tools
+# LICENSE       :The MIT License (MIT)
+# BASH-VERSION  :4.2+
+# DEPENDS       :apt-get install heirloom-mailx
+# REFS          :http://smythies.com/robots.txt
+# LOCATION      :/usr/local/sbin/robots-unknown.sh
+# CRON-DAILY    :/usr/local/sbin/robots-unknown.sh
 
-# http://smythies.com/robots.txt
+# Authorized robots with 10+ visits
 #
-# Authorized robots 10+
-#
-#     grep "GET /robots\.txt" /home/*/log/access*.log /var/log/apache2/access*.log \
+#     grep -F "GET /robots.txt" /var/log/apache2/*access.log \
 #         |cut -d'"' -f6|sort|uniq -c|sort -n|grep "^\s*[0-9]\{2,\}"
 #
 # Robots without user agent
 #
-#     grep ' "-"$' /home/*/log/access*.log /var/log/apache2/access*.log|most
+#     grep ' "-"$' /var/log/apache2/*access.log|pager
 
 EMAIL_ADDRESS="webmaster@szepe.net"
 EMAIL_SUBJECT="[admin] Unknown robots from $(hostname -f)"
@@ -40,6 +48,9 @@ fi
 # APACHE_LOG_DIR is defined here
 source /etc/apache2/envvars
 
+# For non-existent previous log file
+shopt -s nullglob
+
 while read CONFIG_FILE; do
     ACCESS_LOG="$(sed -n '/^\s*CustomLog\s\+\(\S\+\)\s\+\S\+.*$/I{s//\1/p;q;}' "$CONFIG_FILE")"
     SITE_USER="$(sed -n '/^\s*Define\s\+SITE_USER\s\+\(\S\+\).*$/I{s//\1/p;q;}' "$CONFIG_FILE")"
@@ -49,10 +60,12 @@ while read CONFIG_FILE; do
         -e "s;\${SITE_USER};${SITE_USER};g")"
 
     ionice -c 3 /usr/local/bin/dategrep --format apache --multiline \
-        --from "1 day ago at 06:25:00" --to "06:25:00" "${ACCESS_LOG}.1" "$ACCESS_LOG"
+        --from "1 day ago at 06:25:00" --to "06:25:00" "$ACCESS_LOG".[1] "$ACCESS_LOG"
 
 done <<< "$APACHE_CONFIGS" \
     | Filter_ua \
     | Digest_ua \
     | sed 's;^;|;' \
     | mailx -E -S from="robots unknown <root>" -s "$EMAIL_SUBJECT" "$EMAIL_ADDRESS"
+
+exit 0

package/README.md

@@ -202,3 +202,7 @@ apt-get install -y debpear
 debpear $PEAR_PKG
 ```
 
+### Backporting guide
+
+https://wiki.debian.org/BuildingFormalBackports
+

security/MYATTACKERS.md

@@ -23,18 +23,6 @@
 # type: HTTP
 94.242.192.0/18
 
-# NL/RU HOSTKEY-NET http://bgp.he.net/AS57043#_prefixes
-# DC: Serverius
-# aliases: Mir Telematiki
-5.39.216.0/21
-#31.192.109.0/24
-#31.192.110.0/24
-#46.17.96.0/21
-#46.249.38.0/24
-146.0.72.0/21
-#185.70.184.0/22
-193.109.68.0/23
-195.162.68.0/23
 # Mir Telematiki Ltd. http://bgp.he.net/AS49335#_prefixes
 # 8 prefixes: 141.105.64.0 - 141.105.71.255
 141.105.64.0/21
@@ -59,18 +47,6 @@
 # FR-ILIAD-ENTREPRISES-CUSTOMERS
 195.154.0.0/17
 
-# NL Ecatel http://bgp.he.net/AS29073#_prefixes
-# type: SSH
-# type: HTTP
-# type: SMTP
-80.82.64.0/20
-89.248.160.0/21
-89.248.168.0/22
-89.248.172.0/23
-89.248.174.0/24
-93.174.88.0/21
-94.102.48.0/20
-
 # CHINANET-SH
 50.200.243.136
 116.224.0.0/12

security/blocklist-de-add.sh

@@ -1,9 +1,9 @@
 #!/bin/bash
 #
-# Add blocklist.de's list for very abusive IP-s to iptables.
+# Block traffic from very abusive IP-s of blocklist.de
 #
-# VERSION       :0.3
-# DATE          :2015-06-08
+# VERSION       :0.3.1
+# DATE          :2015-11-07
 # AUTHOR        :Viktor Szépe <viktor@szepe.net>
 # LICENSE       :The MIT License (MIT)
 # URL           :https://github.com/szepeviktor/debian-server-tools
@@ -54,7 +54,7 @@ fi
 "$IPTABLES" -N "$A5K_CHAIN" &> /dev/null
 "$IPTABLES" -F "$A5K_CHAIN"
 while read A5K; do
-    isIP "$A5K" && "$IPTABLES" -A "$A5K_CHAIN" -s "$A5K" -j DROP
+    isIP "$A5K" && "$IPTABLES" -A "$A5K_CHAIN" -s "$A5K" -j REJECT
 done < "$A5K_TMP"
 "$IPTABLES" -A "$A5K_CHAIN" -j RETURN
 

security/fail2ban-leanmail/fail2ban-as-list.sh

@@ -22,3 +22,10 @@ zgrep -Fv "[recidive]" /var/log/fail2ban.log | sed -n 's/^.* Ban \([0-9.]\+\)$/\
     | xargs -I %% bash -c "echo -n %%;geoiplookup -f ${AS_GEOIP} %%|recode -f l2..utf8|cut -d: -f2-" \
     | grep -w "$AS" | cut -d' ' -f1 | xargs -r -L1 host -tA
 }
+
+Attack_types() {
+logsearch.sh -e "Break-in attempt detected: " \
+    | sed -n 's;.*Break-in attempt detected: \(\S\+\).*;\1;p' \
+    | sort | uniq -c \
+    | sort -n
+}

security/fail2ban-leanmail/leanmail.sh

@@ -46,6 +46,7 @@ DNSBL4_TORDNSEL="%s.80.%s.ip-port.exitlist.torproject.org"
 #HTTPAPI2_CT="https://moderate.cleantalk.org/api2.0"
 #HTTPAPI2_CT="https://api.cleantalk.org/?method_name=spam_check&auth_key=%s"
 # https://www.dshield.org/api/
+# handlers-a-t-isc.sans.edu
 HTTPAPI3_DSHIELD="https://dshield.org/api/ip/%s"
 
 # IP lists
@@ -79,19 +80,22 @@ LIST_BLDE_1H="https://api.blocklist.de/getlast.php?time=3600"
 
 # Hosting only, no browsers
 declare -a AS_HOSTING=(
-AS14618 # Amazon.com, Inc.
-AS16276 # OVH SAS
-AS18978 # Enzu Inc.
-AS12876 # ONLINE S.A.S.
-AS5577  # root SA
-AS36352 # ColoCrossing
+    AS14618 # Amazon.com, Inc.
+    AS16276 # OVH SAS
+    AS18978 # Enzu Inc.
+    AS12876 # ONLINE S.A.S.
+    AS5577  # root SA
+    AS36352 # ColoCrossing
+    AS29073 # Ecatel LTD
 )
 
-# labs
+# Labs
+# wget -q -O- "http://api.abuseipdb.com/check/?ip=${IP}&cids=12,4,11,10,3,5,15,7,6,14,9,17,16,13&uid=${ABUSEIPDB_UID}&skey=${ABUSEIPDB_SKEY}&o=xml" \
+#     | grep -q '<report cid="[0-9]\+" total="[0-9]\+" />'
 # https://zeltser.com/malicious-ip-blocklists/
 # http://www.umbradata.com/solutions
-# # + https://www.dshield.org/xml.html
-# # + https://www.dshield.org/hpbinfo.html
+# # https://www.dshield.org/xml.html
+# # https://www.dshield.org/hpbinfo.html
 # # https://isc.sans.edu/diary/Reminder%3A+Proper+use+of+DShield+data/4483
 # https://www.dshield.org/ipsascii.html?limit=5000
 # https://www.cyveillance.com/home/security-solutions/data/
@@ -106,7 +110,7 @@ CLASSC_MATCH="1"
 
 # DNS resolver
 #NS1="208.67.220.123" # OpenDNS
-NS1="81.2.236.171" # worker.szepe.net
+NS1="81.2.236.171" # worker
 
 # Timeout in seconds
 TIMEOUT="5"
@@ -400,14 +404,6 @@ Match_multi_AS() {
 
 Match_any() {
     # Local
-#    if Match_country RU "$IP"; then
-#        Log_match "ru"
-#        return 0
-#    fi
-    if Match_multi_AS "$IP" "${AS_HOSTING[@]}"; then
-        Log_match "hosting"
-        return 0
-    fi
     if Match_list "$LIST_BLDE" "$IP"; then
         Log_match "blde"
         return 0
@@ -420,6 +416,14 @@ Match_any() {
         Log_match "openbl"
         return 0
     fi
+    if Match_country A1 "$IP"; then
+        Log_match "anonymous-proxy"
+        return 0
+    fi
+    if Match_multi_AS "$IP" "${AS_HOSTING[@]}"; then
+        Log_match "hosting"
+        return 0
+    fi
 
     # Network
     if Match_dnsbl2 "$DNSBL2_SPAMHAUS" "$IP"; then
@@ -439,9 +443,9 @@ Match_any() {
         return 0
     fi
 
-    # labs :::::::::::::::::
+    # Labs :::::::::::::::::
 
-    # labs/network ::::::::::
+    # Labs/network ::::::::::
 
     return 1
 }
@@ -491,8 +495,12 @@ if Match_any; then
     exit 0
 fi
 
-# @TODO Report IP to: ??? custom.php?
-
 if [ "$IP" != 10.0.0.2 ]; then
+# @TODO Report IP
+# if sed '/\(bad_request_post_user_agent_empty\|no_wp_here_\)/{s//\1/;h};${x;/./{x;q0};x;q1}'; then
+#     INSTANT_SECRET=""
+#     wget -q -O- --post-data="auth=$(echo -n "${IP}${INSTANT_SECRET}"|shasum -a 256|cut -d" " -f1)&ip=${IP}" \
+#         https://site/dnsbl.php &> /dev/null
+# fi |
     /usr/sbin/sendmail -f "$SENDER" "$DEST"
 fi

security/myattackers.sh

@@ -1,9 +1,9 @@
 #!/bin/bash
 #
-# Ban malicious hosts manually.
+# Ban malicious hosts manually
 #
-# VERSION       :0.5.2
-# DATE          :2015-11-03
+# VERSION       :0.5.3
+# DATE          :2015-11-07
 # AUTHOR        :Viktor Szépe <viktor@szepe.net>
 # LICENSE       :The MIT License (MIT)
 # URL           :https://github.com/szepeviktor/debian-server-tools
@@ -131,9 +131,9 @@ Ban() {
     local ADDRESS="$1"
 
     # Don't populate duplicates
-    if ! iptables -C "$CHAIN" -s "$ADDRESS" ${PROTOCOL_OPTION} -j DROP &> /dev/null; then
+    if ! iptables -C "$CHAIN" -s "$ADDRESS" ${PROTOCOL_OPTION} -j REJECT &> /dev/null; then
         # Insert at the top
-        iptables -I "$CHAIN" -s "$ADDRESS" ${PROTOCOL_OPTION} ${BANTIME_OPTION} -j DROP
+        iptables -I "$CHAIN" -s "$ADDRESS" ${PROTOCOL_OPTION} ${BANTIME_OPTION} -j REJECT
     fi
 }