today

aelsharawi · Apr 20, 2016 · 995652b · 995652b
1 parent 71d547d
commit 995652b
Show file tree

Hide file tree

Showing 34 changed files with 210 additions and 175 deletions.
diff --git a/.gitmodules b/.gitmodules
@@ -34,3 +34,6 @@
 [submodule "monitoring/virt-what"]
 	path = monitoring/virt-what
 	url = git://git.annexia.org/git/virt-what.git
+[submodule "security/maldet"]
+	path = security/maldet
+	url = https://github.com/ftrojahn/linux-malware-detect.git
diff --git a/debian-image-bare-bone.sh b/debian-image-bare-bone.sh
@@ -89,6 +89,8 @@ apt-get -qq -y install virt-what && virt-what
 cat /proc/cmdline
 grep -a "container=" /proc/1/environ # OpenVZ
 cat /sys/hypervisor/uuid # Xen UUID
+xenstore-read "/local/domain/$(xenstore-read "domid")/unique-domain-id" # Xen unique domain ID
+#xenstore-ls "/local/domain/$(xenstore-read "domid")" # Xen details
 dmidecode -s system-product-name # Xen type: HVM/PV-HVM/PV
 dmidecode -s system-uuid # HyperV
 

diff --git a/debian-image-os-image.sh b/debian-image-os-image.sh
@@ -18,7 +18,7 @@ BOOT_PACKAGES="grub-pc|linux-image-amd64|firmware-linux-nonfree|usbutils|mdadm|l
 |sysvinit|initramfs-tools|insserv|discover|systemd|libpam-systemd|systemd-sysv|dbus\
 |extlinux|syslinux-common|elasticstack-container|waagent|scx|omi"
 
-set +e
+set -e
 
 export LC_ALL=C
 export DEBIAN_FRONTEND=noninteractive

diff --git a/debian-setup.sh b/debian-setup.sh
@@ -10,9 +10,10 @@
 # How to choose VPS provider?
 #
 # - Disk access time (~1 ms)
-# - CPU speed (2000+ PassMark CPU Mark, sub-20 ms sysbench)
+# - CPU speed (2000+ PassMark CPU Mark, sub-20 ms sysbench, 100-150 ms in wordpress-speedtest)
+# - Redundancy in: power, network, storage, hypervisors
 # - Worldwide and regional bandwidth, port speed
-# - Spammer neighbours https://www.projecthoneypot.org/ip_1.2.3.4
+# - Spammer neighbours https://www.projecthoneypot.org/ http://www.senderbase.org/lookup/
 # - Response time of nightime technical support in case of network or hardware failure
 # - Daytime technical and billing support
 # - D/DoS mitigation
@@ -349,6 +350,12 @@ editor /etc/resolv.conf
 #
 # OVH resolvers
 #     France 213.186.33.99
+#
+# ATW resolvers
+#     88.151.96.15
+#     88.151.96.16
+#     2a01:270::15
+#     2a01:270::16
 
 clear; ping6 -c 4 ipv6.google.com
 host -v -tA example.com|grep "^example\.com\.\s*[0-9]\+\s*IN\s*A\s*93\.184\.216\.34$"||echo "DNS error"
@@ -358,16 +365,17 @@ host -v -tA example.com|grep "^example\.com\.\s*[0-9]\+\s*IN\s*A\s*93\.184\.216\
 # SSL support
 rm -f /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key
 # Update ca-certificates
-#wget -qO- http://metadata.ftp-master.debian.org/changelogs/main/c/ca-certificates/unstable_changelog|less
-#Getpkg ca-certificates
+wget -qO- http://metadata.ftp-master.debian.org/changelogs/main/c/ca-certificates/unstable_changelog|less
+Getpkg ca-certificates
 # Install szepenet CA
 CA_NAME="szepenet"
 CA_FILE="szepenet_ca.crt"
 mkdir -v /usr/local/share/ca-certificates/${CA_NAME}
 cp -v ${D}/security/ca/ca-web/szepenet-ca.pem /usr/local/share/ca-certificates/${CA_NAME}/${CA_FILE}
-update-ca-certificates -v -f
 # Monitor certificates
 cd ${D}; ./install.sh monitoring/cert-expiry.sh
+# Update certificates
+update-ca-certificates -v -f
 
 # Block dangerous networks
 cd ${D}/security/myattackers-ipsets/
@@ -647,72 +655,7 @@ cp -vf ${D}/mail/msmtprc /etc/
 echo "This is a test mail."|mailx -s "[first] Subject of the first email" ADDRESS
 
 # Courier MTA - deliver all messages to a smarthost
-#     Send-only servers don't receive emails.
-#     Send-only servers don't have local domain names.
-#     They should have an MX record pointing to the smarthost.
-#     Smarthost should receive all emails addressed to send-only server's domain name.
-clear; apt-get install -y courier-mta courier-mta-ssl
-# Fix dependency on courier-authdaemon
-sed -i '1,20s/^\(#\s\+Required-Start:\s.*\)$/\1 courier-authdaemon/' /etc/init.d/courier-mta
-update-rc.d courier-mta defaults
-# Check for other MTA-s
-dpkg -l | grep -E "postfix|exim"
-cd ${D}; ./install.sh mail/courier-restart.sh
-# Smarthost
-editor /etc/courier/esmtproutes
-#     szepe.net: mail.szepe.net,25 /SECURITY=REQUIRED
-#     : %SMART-HOST%,587 /SECURITY=REQUIRED
-#     : in-v3.mailjet.com,587 /SECURITY=REQUIRED
-# From jessie on - requires ESMTP_TLS_VERIFY_DOMAIN=1 and TLS_VERIFYPEER=PEER
-#     : %SMART-HOST%,465 /SECURITY=SMTPS
-editor /etc/courier/esmtpauthclient
-#     smtp.mandrillapp.com,587 MANDRILL@ACCOUNT API-KEY
-# Diffie-Hellman parameter
-DH_BITS=2048 nice /usr/sbin/mkdhparams
-# DH params cron.monthly job
-# @TODO Move it to a file
-echo -e '#!/bin/bash\nDH_BITS=2048 nice /usr/sbin/mkdhparams 2> /dev/null\nexit 0' > /usr/local/sbin/courier-dhparams.sh
-echo -e '#!/bin/bash\n/usr/local/sbin/courier-dhparams.sh' > /etc/cron.monthly/courier-dhparams
-chmod 755 /usr/local/sbin/courier-dhparams.sh /etc/cron.monthly/courier-dhparams
-editor /etc/courier/esmtpd
-#     TLS_DHPARAMS=/etc/courier/dhparams.pem
-#     ADDRESS=127.0.0.1
-#     TCPDOPTS=" ... ... -noidentlookup"
-#     ESMTPAUTH=""
-#     ESMTPAUTH_TLS=""
-editor /etc/courier/esmtpd-ssl
-#     SSLADDRESS=127.0.0.1
-#     TLS_DHPARAMS=/etc/courier/dhparams.pem
-editor /etc/courier/smtpaccess/default
-#     127.0.0.1	allow,RELAYCLIENT
-#     :0000:0000:0000:0000:0000:0000:0000:0001	allow,RELAYCLIENT
-editor /etc/courier/me
-# Check MX record
-host -t MX $(cat /etc/courier/me)
-editor /etc/courier/defaultdomain
-# SPF - Add this server to the SPF record of its domains
-editor /etc/courier/dsnfrom
-editor /etc/courier/locals
-#     localhost
-#     # Remove own hostname!
-editor /etc/courier/aliases/system
-#     postmaster: |/usr/bin/couriersrs --srsdomain=DOMAIN.SRS admin@szepe.net
-courier-restart.sh
-# Allow unauthenticated SMTP traffic from this server on the smarthost
-#     editor /etc/courier/smtpaccess/default
-#         %%IP%%<TAB>allow,RELAYCLIENT,AUTH_REQUIRED=0
-
-# Receive bounce messages on the smarthost
-#     editor /etc/courier/aliases/system
-#         @HOSTNAME.TLD: LOCAL-USER
-#     editor /var/mail/DOMAIN/USER/.courier-default
-#         LOCAL-USER
-#     courier-restart.sh
-echo "This is a t3st mail."|mailx -s "[first] Subject of the 1st email" viktor@szepe.net
-
-# Apache 2.4 with ITK
-# @wheezy apt-get install -y -t wheezy-experimental apache2-mpm-itk apache2-utils libapache2-mod-fastcgi
-#apt-get install -y apache2-mpm-itk apache2-utils
+# See: ${D}/mail/courier-mta-send-only-setup.sh
 
 # Apache 2.4 with mpm-events
 apt-get install -y apache2 apache2-utils
@@ -743,6 +686,10 @@ apt-get install -y mod-pagespeed-stable
 ls -l /etc/apt/sources.list.d/*pagespeed*
 #rm -v /etc/apt/sources.list.d/mod-pagespeed.list
 
+# Apache security
+https://github.com/rfxn/linux-malware-detect
+https://github.com/Neohapsis/NeoPI
+
 # Nginx 1.8
 apt-get install -y nginx-lite
 # Nginx packages: lite, full, extra

diff --git a/mail/README.md b/mail/README.md
@@ -302,9 +302,10 @@ http://www.returnpath.com/solution-content/dmarc-support/what-is-dmarc/
 - https://inlinestyler.torchbox.com/styler/
 - https://putsmail.com/
 
-### Feedback loops
+### Feedback loops, postmaster tools
 
-https://wordtothewise.com/isp-information/
+- https://wordtothewise.com/isp-information/
+- http://postmaster.live.com/snds/
 
 ### RBL-s (DNSBL)
 
@@ -321,9 +322,7 @@ http://psky.me/
 #### Check RBL-s
 
 ```bash
-cat anti-abuse.org.rbl | xargs -I %% host -t A "$(revip "$IP").%%" 2>&1 \
-    | grep -v "not found: 3(NXDOMAIN)"
-#rblcheck
+rblcheck
 ```
 
 Trendmicro ERS check
@@ -333,9 +332,20 @@ wget -qO- --post-data="_method=POST&data[Reputation][ip]=${IP}" https://ers.tren
     | sed -ne 's;.*<dd>\(.\+\)</dd>.*;\1;p' | tr '\n' ' '
 ```
 
-Response: "IP Unlisted in the spam sender list None"
+OK response: "IP Unlisted in the spam sender list None"
 
-### Monitoring IP reputation
+### IP reputation
+
+- http://www.senderbase.org/lookup/
+- https://www.senderscore.org/lookup.php
+- http://www.barracudacentral.org/lookups
+- http://www.cyren.com/ip-reputation-check.html
+- http://www.mcafee.com/threat-intelligence/ip/spam-senders.aspx
+- http://ipremoval.sms.symantec.com/lookup/
+- https://postmaster.aol.com/ip-reputation
+- https://ers.trendmicro.com/reputations
+
+#### IP reputation monitoring
 
 - https://mxtoolbox.com/services_servermonitoring2.aspx
 - https://www.projecthoneypot.org/monitor_settings.php
@@ -345,6 +355,7 @@ Response: "IP Unlisted in the spam sender list None"
 
 - https://www.dnswl.org/?page_id=87
 - http://www.emailreg.org/index.cgi?p=policy (Barracuda)
+- https://ers.trendmicro.com/reputations/global_approved_list
 
 ### Free e-mail backup server
 

diff --git a/mail/courier-mta-send-only-setup.sh b/mail/courier-mta-send-only-setup.sh
@@ -0,0 +1,75 @@
+#!/bin/bash --version
+
+exit 0
+
+# Courier MTA - deliver all messages to a smarthost
+#
+#     1. Send-only servers don't receive emails.
+#     1. Send-only servers don't have local domain names.
+#     1. They should have an MX record pointing to the smarthost.
+#     1. Smarthost should receive all emails addressed to send-only server's domain name.
+clear; apt-get install -y courier-mta courier-mta-ssl
+# Fix dependency on courier-authdaemon
+sed -i '1,20s/^\(#\s\+Required-Start:\s.*\)$/\1 courier-authdaemon/' /etc/init.d/courier-mta
+update-rc.d courier-mta defaults
+# Check for other MTA-s
+dpkg -l | grep -E "postfix|exim"
+cd ${D}; ./install.sh mail/courier-restart.sh
+# Smarthost
+editor /etc/courier/esmtproutes
+#     szepe.net: mail.szepe.net,25 /SECURITY=REQUIRED
+#     : %SMART-HOST%,587 /SECURITY=REQUIRED
+#     : in-v3.mailjet.com,587 /SECURITY=REQUIRED
+# From jessie on - requires ESMTP_TLS_VERIFY_DOMAIN=1 and TLS_VERIFYPEER=PEER
+#     : %SMART-HOST%,465 /SECURITY=SMTPS
+editor /etc/courier/esmtpauthclient
+#     smtp.mandrillapp.com,587 MANDRILL@ACCOUNT API-KEY
+# Diffie-Hellman parameter
+DH_BITS=2048 nice /usr/sbin/mkdhparams
+# DH params cron.monthly job
+# @TODO Move it to a file
+echo -e '#!/bin/bash\nDH_BITS=2048 nice /usr/sbin/mkdhparams 2> /dev/null\nexit 0' > /usr/local/sbin/courier-dhparams.sh
+echo -e '#!/bin/bash\n/usr/local/sbin/courier-dhparams.sh' > /etc/cron.monthly/courier-dhparams
+chmod 755 /usr/local/sbin/courier-dhparams.sh /etc/cron.monthly/courier-dhparams
+# SSL setup
+editor /etc/courier/courierd
+editor /etc/courier/esmtpd
+editor /etc/courier/esmtpd-ssl
+#     TLS_PROTOCOL="TLSv1.2:TLSv1.1:TLS1"
+#     TLS_CIPHER_LIST="" See https://mozilla.github.io/server-side-tls/ssl-config-generator/
+#     TLS_DHPARAMS=/etc/courier/courier-dhparams.pem
+#     TLS_CACHEFILE=/var/lib/courier/tmp/ssl_cache
+#     TLS_CACHESIZE=524288
+editor /etc/courier/esmtpd
+#     ADDRESS=127.0.0.1
+#     TCPDOPTS=" ... ... -noidentlookup"
+#     ESMTPAUTH=""
+#     ESMTPAUTH_TLS=""
+editor /etc/courier/esmtpd-ssl
+#     SSLADDRESS=127.0.0.1
+editor /etc/courier/smtpaccess/default
+#     127.0.0.1	allow,RELAYCLIENT
+#     :0000:0000:0000:0000:0000:0000:0000:0001	allow,RELAYCLIENT
+editor /etc/courier/me
+# Check MX record
+host -t MX $(cat /etc/courier/me)
+editor /etc/courier/defaultdomain
+# SPF - Add this server to the SPF record of its domains
+editor /etc/courier/dsnfrom
+editor /etc/courier/locals
+#     localhost
+#     # Remove own hostname!
+editor /etc/courier/aliases/system
+#     postmaster: |/usr/bin/couriersrs --srsdomain=DOMAIN.SRS admin@szepe.net
+courier-restart.sh
+# Allow unauthenticated SMTP traffic from this server on the smarthost
+#     editor /etc/courier/smtpaccess/default
+#         %%IP%%<TAB>allow,RELAYCLIENT,AUTH_REQUIRED=0
+
+# Receive bounce messages on the smarthost
+#     editor /etc/courier/aliases/system
+#         @HOSTNAME.TLD: LOCAL-USER
+#     editor /var/mail/DOMAIN/USER/.courier-default
+#         LOCAL-USER
+#     courier-restart.sh
+echo "This is a t3st mail."|mailx -s "[first] Subject of the 1st email" viktor@szepe.net
diff --git a/mail/smtpaccess.conf b/mail/smtpaccess.conf
@@ -79,6 +79,8 @@
 85.25.38.34	allow,BLOCK
 85.25.38.35	allow,BLOCK
 85.25.38.36	allow,BLOCK
+# ATW - mail.atw.hu.
+88.151.96.10	allow,BLOCK
 
 
 # --- Other subscriptions - allow,BLOCK

diff --git a/monitoring/cron-old.sh b/monitoring/cron-old.sh
@@ -2,28 +2,29 @@
 #
 # Alert on long-running cron jobs.
 #
-# VERSION       :0.1.0
-# DATE          :2016-02-10
+# VERSION       :0.2.0
+# DATE          :2016-04-18
 # AUTHOR        :Viktor Szépe <viktor@szepe.net>
 # URL           :https://github.com/szepeviktor/debian-server-tools
 # LICENSE       :The MIT License (MIT)
 # BASH-VERSION  :4.2+
 # LOCATION      :/usr/local/sbin/cron-old.sh
-# CRON.D        :*/5 *	* * *	root	/usr/local/sbin/cron-old.sh
+# CRON.D        :*/30 *	* * *	root	/usr/local/sbin/cron-old.sh
 
-declare -i CRON_MAX_AGE="10"
+declare -i CRON_MAX_AGE="50"
 declare -i CRON_CHILD_AGE
 
 # Oldest cron job
 CRON_CHILD_PID="$(pgrep --parent $(cat /run/crond.pid) --oldest)"
 
 [ -z "$CRON_CHILD_PID" ] && exit 0
 
-# List job ages
+# List job age
 ps -o etimes= -p "$CRON_CHILD_PID" \
     | while read -r CRON_CHILD_AGE; do
         [ "$CRON_CHILD_AGE" -lt $((CRON_MAX_AGE * 60)) ] && continue
 
+        # Alert on long-running jobs
         CRON_CHILD_INFO="${CRON_CHILD_PID}:$(ps -o cmd= --ppid "$CRON_CHILD_PID")"
         echo "Cron job (${CRON_CHILD_INFO}) is running for more than ${CRON_MAX_AGE} minutes." 1>&2
     done

diff --git a/monitoring/syslog-errors-infrequent.sh b/monitoring/syslog-errors-infrequent.sh
@@ -1,29 +1,26 @@
 #!/bin/bash
 #
-# Send interesting parts of syslog of the last 3 hours. Simple logcheck.
+# Send interesting parts of syslog from the last 3 hours. Simple logcheck.
 #
-# VERSION       :0.1.5
-# DATE          :2016-02-06
+# VERSION       :0.8.0
+# DATE          :2016-04-20
 # AUTHOR        :Viktor Szépe <viktor@szepe.net>
 # LICENSE       :The MIT License (MIT)
 # URL           :https://github.com/szepeviktor/debian-server-tools
 # BASH-VERSION  :4.2+
-# DEPENDS       :apt-get install libdate-manip-perl
-# DEPENDS       :cpan App:dategrep
+# DEPENDS       :apt-get install logtail
 # LOCATION      :/usr/local/sbin/syslog-errors-infrequent.sh
 # CRON.D        :17 */3	* * *	root	/usr/local/sbin/syslog-errors-infrequent.sh
 
-# Use package/dategrep-install.sh
-
 Failures() {
+    # -intERRupt,-bERRy, -WARNer, -fail2ban, -MISSy
     grep -Ei "crit|err[^uy]|warn[^e]|fail[^2]|alert|unknown|unable|miss[^y]\
 |except|disable|invalid|fault|cannot|denied|broken|exceed|unsafe|unsolicited\
 |limit reach|unhandled"
 }
 
-# Every three hours 17 minutes as in Debian cron.hourly
-/usr/local/bin/dategrep --format rsyslog --multiline \
-    --from "3 hour ago from -17:00" --to "-17:00" $(ls -tr /var/log/syslog* | tail -n 2) \
+# Search recent log entries
+logtail2 /var/log/syslog \
     | grep -F -v "$0" \
     | Failures \
     | grep -E -v "error@|spamd\[[0-9]+\]: spamd:|courierd: SHUTDOWN: respawnlo limit reached, system inactive\.$" \
@@ -33,9 +30,8 @@ Failures() {
 # Process boot log
 if [ -s /var/log/boot ] && [ "$(wc -l < /var/log/boot)" -gt 1 ]; then
     # Skip "(Nothing has been logged yet.)"
-    sed -e '1!b;/^(Nothing .*$/d' /var/log/boot \
-        | /usr/local/bin/dategrep --format "%a %b %e %H:%M:%S %Y" --multiline \
-            --from "3 hour ago from -17:00" --to "-17:00" \
+    logtail2 /var/log/boot \
+        | sed -e '1!b;/^(Nothing .*$/d' \
         | Failures
 fi