From 995652bbbda983ad8cf416ef7ed4f8abe47cac75 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Viktor=20Sz=C3=A9pe?= <viktor@szepe.net>
Date: Wed, 20 Apr 2016 14:02:09 +0000
Subject: [PATCH] today

---
 .gitmodules                                   |  3 +
 debian-image-bare-bone.sh                     |  2 +
 debian-image-os-image.sh                      |  2 +-
 debian-setup.sh                               | 89 ++++---------------
 mail/README.md                                | 25 ++++--
 mail/courier-mta-send-only-setup.sh           | 75 ++++++++++++++++
 mail/smtpaccess.conf                          |  2 +
 monitoring/cron-old.sh                        | 11 +--
 monitoring/syslog-errors-infrequent.sh        | 22 ++---
 monitoring/syslog-errors.sh                   | 21 ++---
 package/apt-add-repo.sh                       |  2 +-
 package/dategrep-install.sh                   |  2 +-
 package/debackport.sh                         |  2 +-
 package/pbuilder_zdkimfilter.sh               |  2 +-
 repo                                          |  2 +-
 security/IPtables.md                          | 16 ++++
 .../fail2ban-conf/filter.d/courier-smtp.local |  2 +
 security/fail2ban-leanmail/leanmail.sh        |  6 +-
 security/maldet                               |  1 +
 security/myattackers-ipsets/README.md         | 12 +++
 .../myattackers-ipsets/leonlundberg.ipset     |  2 +-
 security/myattackers-ipsets/lu-root.ipset     |  2 +-
 .../myattackers-ipsets/mirtelematiki.ipset    |  2 +-
 security/myattackers-ipsets/shodan-io.ipset   |  2 +-
 security/myattackers-ipsets/sks-lugan.ipset   |  2 +-
 security/myattackers-ipsets/spidernet.ipset   |  2 +-
 tools/ip.sh                                   | 13 ++-
 virtualization/Docker.md                      | 35 --------
 virtualization/Xen.md                         |  8 +-
 virtualization/jessie-backport/Dockerfile     |  5 +-
 virtualization/jessie-backport/debackport.sh  |  2 +-
 virtualization/jessie-build/Dockerfile        |  7 +-
 virtualization/jessie-py2deb/docker-py2deb.sh |  2 +-
 webserver/add-site.sh                         |  2 +-
 34 files changed, 210 insertions(+), 175 deletions(-)
 create mode 100644 mail/courier-mta-send-only-setup.sh
 create mode 100644 security/IPtables.md
 create mode 160000 security/maldet

diff --git a/.gitmodules b/.gitmodules
index 0a40074c..2d68ffb7 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -34,3 +34,6 @@
 [submodule "monitoring/virt-what"]
 	path = monitoring/virt-what
 	url = git://git.annexia.org/git/virt-what.git
+[submodule "security/maldet"]
+	path = security/maldet
+	url = https://github.com/ftrojahn/linux-malware-detect.git
diff --git a/debian-image-bare-bone.sh b/debian-image-bare-bone.sh
index 38d6d4e0..109511f9 100644
--- a/debian-image-bare-bone.sh
+++ b/debian-image-bare-bone.sh
@@ -89,6 +89,8 @@ apt-get -qq -y install virt-what && virt-what
 cat /proc/cmdline
 grep -a "container=" /proc/1/environ # OpenVZ
 cat /sys/hypervisor/uuid # Xen UUID
+xenstore-read "/local/domain/$(xenstore-read "domid")/unique-domain-id" # Xen unique domain ID
+#xenstore-ls "/local/domain/$(xenstore-read "domid")" # Xen details
 dmidecode -s system-product-name # Xen type: HVM/PV-HVM/PV
 dmidecode -s system-uuid # HyperV
 
diff --git a/debian-image-os-image.sh b/debian-image-os-image.sh
index 6bcf4088..e40c1ddc 100644
--- a/debian-image-os-image.sh
+++ b/debian-image-os-image.sh
@@ -18,7 +18,7 @@ BOOT_PACKAGES="grub-pc|linux-image-amd64|firmware-linux-nonfree|usbutils|mdadm|l
 |sysvinit|initramfs-tools|insserv|discover|systemd|libpam-systemd|systemd-sysv|dbus\
 |extlinux|syslinux-common|elasticstack-container|waagent|scx|omi"
 
-set +e
+set -e
 
 export LC_ALL=C
 export DEBIAN_FRONTEND=noninteractive
diff --git a/debian-setup.sh b/debian-setup.sh
index 86d8f64d..7b2d78bf 100755
--- a/debian-setup.sh
+++ b/debian-setup.sh
@@ -10,9 +10,10 @@
 # How to choose VPS provider?
 #
 # - Disk access time (~1 ms)
-# - CPU speed (2000+ PassMark CPU Mark, sub-20 ms sysbench)
+# - CPU speed (2000+ PassMark CPU Mark, sub-20 ms sysbench, 100-150 ms in wordpress-speedtest)
+# - Redundancy in: power, network, storage, hypervisors
 # - Worldwide and regional bandwidth, port speed
-# - Spammer neighbours https://www.projecthoneypot.org/ip_1.2.3.4
+# - Spammer neighbours https://www.projecthoneypot.org/ http://www.senderbase.org/lookup/
 # - Response time of nightime technical support in case of network or hardware failure
 # - Daytime technical and billing support
 # - D/DoS mitigation
@@ -349,6 +350,12 @@ editor /etc/resolv.conf
 #
 # OVH resolvers
 #     France 213.186.33.99
+#
+# ATW resolvers
+#     88.151.96.15
+#     88.151.96.16
+#     2a01:270::15
+#     2a01:270::16
 
 clear; ping6 -c 4 ipv6.google.com
 host -v -tA example.com|grep "^example\.com\.\s*[0-9]\+\s*IN\s*A\s*93\.184\.216\.34$"||echo "DNS error"
@@ -358,16 +365,17 @@ host -v -tA example.com|grep "^example\.com\.\s*[0-9]\+\s*IN\s*A\s*93\.184\.216\
 # SSL support
 rm -f /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key
 # Update ca-certificates
-#wget -qO- http://metadata.ftp-master.debian.org/changelogs/main/c/ca-certificates/unstable_changelog|less
-#Getpkg ca-certificates
+wget -qO- http://metadata.ftp-master.debian.org/changelogs/main/c/ca-certificates/unstable_changelog|less
+Getpkg ca-certificates
 # Install szepenet CA
 CA_NAME="szepenet"
 CA_FILE="szepenet_ca.crt"
 mkdir -v /usr/local/share/ca-certificates/${CA_NAME}
 cp -v ${D}/security/ca/ca-web/szepenet-ca.pem /usr/local/share/ca-certificates/${CA_NAME}/${CA_FILE}
-update-ca-certificates -v -f
 # Monitor certificates
 cd ${D}; ./install.sh monitoring/cert-expiry.sh
+# Update certificates
+update-ca-certificates -v -f
 
 # Block dangerous networks
 cd ${D}/security/myattackers-ipsets/
@@ -647,72 +655,7 @@ cp -vf ${D}/mail/msmtprc /etc/
 echo "This is a test mail."|mailx -s "[first] Subject of the first email" ADDRESS
 
 # Courier MTA - deliver all messages to a smarthost
-#     Send-only servers don't receive emails.
-#     Send-only servers don't have local domain names.
-#     They should have an MX record pointing to the smarthost.
-#     Smarthost should receive all emails addressed to send-only server's domain name.
-clear; apt-get install -y courier-mta courier-mta-ssl
-# Fix dependency on courier-authdaemon
-sed -i '1,20s/^\(#\s\+Required-Start:\s.*\)$/\1 courier-authdaemon/' /etc/init.d/courier-mta
-update-rc.d courier-mta defaults
-# Check for other MTA-s
-dpkg -l | grep -E "postfix|exim"
-cd ${D}; ./install.sh mail/courier-restart.sh
-# Smarthost
-editor /etc/courier/esmtproutes
-#     szepe.net: mail.szepe.net,25 /SECURITY=REQUIRED
-#     : %SMART-HOST%,587 /SECURITY=REQUIRED
-#     : in-v3.mailjet.com,587 /SECURITY=REQUIRED
-# From jessie on - requires ESMTP_TLS_VERIFY_DOMAIN=1 and TLS_VERIFYPEER=PEER
-#     : %SMART-HOST%,465 /SECURITY=SMTPS
-editor /etc/courier/esmtpauthclient
-#     smtp.mandrillapp.com,587 MANDRILL@ACCOUNT API-KEY
-# Diffie-Hellman parameter
-DH_BITS=2048 nice /usr/sbin/mkdhparams
-# DH params cron.monthly job
-# @TODO Move it to a file
-echo -e '#!/bin/bash\nDH_BITS=2048 nice /usr/sbin/mkdhparams 2> /dev/null\nexit 0' > /usr/local/sbin/courier-dhparams.sh
-echo -e '#!/bin/bash\n/usr/local/sbin/courier-dhparams.sh' > /etc/cron.monthly/courier-dhparams
-chmod 755 /usr/local/sbin/courier-dhparams.sh /etc/cron.monthly/courier-dhparams
-editor /etc/courier/esmtpd
-#     TLS_DHPARAMS=/etc/courier/dhparams.pem
-#     ADDRESS=127.0.0.1
-#     TCPDOPTS=" ... ... -noidentlookup"
-#     ESMTPAUTH=""
-#     ESMTPAUTH_TLS=""
-editor /etc/courier/esmtpd-ssl
-#     SSLADDRESS=127.0.0.1
-#     TLS_DHPARAMS=/etc/courier/dhparams.pem
-editor /etc/courier/smtpaccess/default
-#     127.0.0.1	allow,RELAYCLIENT
-#     :0000:0000:0000:0000:0000:0000:0000:0001	allow,RELAYCLIENT
-editor /etc/courier/me
-# Check MX record
-host -t MX $(cat /etc/courier/me)
-editor /etc/courier/defaultdomain
-# SPF - Add this server to the SPF record of its domains
-editor /etc/courier/dsnfrom
-editor /etc/courier/locals
-#     localhost
-#     # Remove own hostname!
-editor /etc/courier/aliases/system
-#     postmaster: |/usr/bin/couriersrs --srsdomain=DOMAIN.SRS admin@szepe.net
-courier-restart.sh
-# Allow unauthenticated SMTP traffic from this server on the smarthost
-#     editor /etc/courier/smtpaccess/default
-#         %%IP%%<TAB>allow,RELAYCLIENT,AUTH_REQUIRED=0
-
-# Receive bounce messages on the smarthost
-#     editor /etc/courier/aliases/system
-#         @HOSTNAME.TLD: LOCAL-USER
-#     editor /var/mail/DOMAIN/USER/.courier-default
-#         LOCAL-USER
-#     courier-restart.sh
-echo "This is a t3st mail."|mailx -s "[first] Subject of the 1st email" viktor@szepe.net
-
-# Apache 2.4 with ITK
-# @wheezy apt-get install -y -t wheezy-experimental apache2-mpm-itk apache2-utils libapache2-mod-fastcgi
-#apt-get install -y apache2-mpm-itk apache2-utils
+# See: ${D}/mail/courier-mta-send-only-setup.sh
 
 # Apache 2.4 with mpm-events
 apt-get install -y apache2 apache2-utils
@@ -743,6 +686,10 @@ apt-get install -y mod-pagespeed-stable
 ls -l /etc/apt/sources.list.d/*pagespeed*
 #rm -v /etc/apt/sources.list.d/mod-pagespeed.list
 
+# Apache security
+https://github.com/rfxn/linux-malware-detect
+https://github.com/Neohapsis/NeoPI
+
 # Nginx 1.8
 apt-get install -y nginx-lite
 # Nginx packages: lite, full, extra
diff --git a/mail/README.md b/mail/README.md
index 69ce8bbc..1b7a69e2 100644
--- a/mail/README.md
+++ b/mail/README.md
@@ -302,9 +302,10 @@ http://www.returnpath.com/solution-content/dmarc-support/what-is-dmarc/
 - https://inlinestyler.torchbox.com/styler/
 - https://putsmail.com/
 
-### Feedback loops
+### Feedback loops, postmaster tools
 
-https://wordtothewise.com/isp-information/
+- https://wordtothewise.com/isp-information/
+- http://postmaster.live.com/snds/
 
 ### RBL-s (DNSBL)
 
@@ -321,9 +322,7 @@ http://psky.me/
 #### Check RBL-s
 
 ```bash
-cat anti-abuse.org.rbl | xargs -I %% host -t A "$(revip "$IP").%%" 2>&1 \
-    | grep -v "not found: 3(NXDOMAIN)"
-#rblcheck
+rblcheck
 ```
 
 Trendmicro ERS check
@@ -333,9 +332,20 @@ wget -qO- --post-data="_method=POST&data[Reputation][ip]=${IP}" https://ers.tren
     | sed -ne 's;.*<dd>\(.\+\)</dd>.*;\1;p' | tr '\n' ' '
 ```
 
-Response: "IP Unlisted in the spam sender list None"
+OK response: "IP Unlisted in the spam sender list None"
 
-### Monitoring IP reputation
+### IP reputation
+
+- http://www.senderbase.org/lookup/
+- https://www.senderscore.org/lookup.php
+- http://www.barracudacentral.org/lookups
+- http://www.cyren.com/ip-reputation-check.html
+- http://www.mcafee.com/threat-intelligence/ip/spam-senders.aspx
+- http://ipremoval.sms.symantec.com/lookup/
+- https://postmaster.aol.com/ip-reputation
+- https://ers.trendmicro.com/reputations
+
+#### IP reputation monitoring
 
 - https://mxtoolbox.com/services_servermonitoring2.aspx
 - https://www.projecthoneypot.org/monitor_settings.php
@@ -345,6 +355,7 @@ Response: "IP Unlisted in the spam sender list None"
 
 - https://www.dnswl.org/?page_id=87
 - http://www.emailreg.org/index.cgi?p=policy (Barracuda)
+- https://ers.trendmicro.com/reputations/global_approved_list
 
 ### Free e-mail backup server
 
diff --git a/mail/courier-mta-send-only-setup.sh b/mail/courier-mta-send-only-setup.sh
new file mode 100644
index 00000000..2e1e653a
--- /dev/null
+++ b/mail/courier-mta-send-only-setup.sh
@@ -0,0 +1,75 @@
+#!/bin/bash --version
+
+exit 0
+
+# Courier MTA - deliver all messages to a smarthost
+#
+#     1. Send-only servers don't receive emails.
+#     1. Send-only servers don't have local domain names.
+#     1. They should have an MX record pointing to the smarthost.
+#     1. Smarthost should receive all emails addressed to send-only server's domain name.
+clear; apt-get install -y courier-mta courier-mta-ssl
+# Fix dependency on courier-authdaemon
+sed -i '1,20s/^\(#\s\+Required-Start:\s.*\)$/\1 courier-authdaemon/' /etc/init.d/courier-mta
+update-rc.d courier-mta defaults
+# Check for other MTA-s
+dpkg -l | grep -E "postfix|exim"
+cd ${D}; ./install.sh mail/courier-restart.sh
+# Smarthost
+editor /etc/courier/esmtproutes
+#     szepe.net: mail.szepe.net,25 /SECURITY=REQUIRED
+#     : %SMART-HOST%,587 /SECURITY=REQUIRED
+#     : in-v3.mailjet.com,587 /SECURITY=REQUIRED
+# From jessie on - requires ESMTP_TLS_VERIFY_DOMAIN=1 and TLS_VERIFYPEER=PEER
+#     : %SMART-HOST%,465 /SECURITY=SMTPS
+editor /etc/courier/esmtpauthclient
+#     smtp.mandrillapp.com,587 MANDRILL@ACCOUNT API-KEY
+# Diffie-Hellman parameter
+DH_BITS=2048 nice /usr/sbin/mkdhparams
+# DH params cron.monthly job
+# @TODO Move it to a file
+echo -e '#!/bin/bash\nDH_BITS=2048 nice /usr/sbin/mkdhparams 2> /dev/null\nexit 0' > /usr/local/sbin/courier-dhparams.sh
+echo -e '#!/bin/bash\n/usr/local/sbin/courier-dhparams.sh' > /etc/cron.monthly/courier-dhparams
+chmod 755 /usr/local/sbin/courier-dhparams.sh /etc/cron.monthly/courier-dhparams
+# SSL setup
+editor /etc/courier/courierd
+editor /etc/courier/esmtpd
+editor /etc/courier/esmtpd-ssl
+#     TLS_PROTOCOL="TLSv1.2:TLSv1.1:TLS1"
+#     TLS_CIPHER_LIST="" See https://mozilla.github.io/server-side-tls/ssl-config-generator/
+#     TLS_DHPARAMS=/etc/courier/courier-dhparams.pem
+#     TLS_CACHEFILE=/var/lib/courier/tmp/ssl_cache
+#     TLS_CACHESIZE=524288
+editor /etc/courier/esmtpd
+#     ADDRESS=127.0.0.1
+#     TCPDOPTS=" ... ... -noidentlookup"
+#     ESMTPAUTH=""
+#     ESMTPAUTH_TLS=""
+editor /etc/courier/esmtpd-ssl
+#     SSLADDRESS=127.0.0.1
+editor /etc/courier/smtpaccess/default
+#     127.0.0.1	allow,RELAYCLIENT
+#     :0000:0000:0000:0000:0000:0000:0000:0001	allow,RELAYCLIENT
+editor /etc/courier/me
+# Check MX record
+host -t MX $(cat /etc/courier/me)
+editor /etc/courier/defaultdomain
+# SPF - Add this server to the SPF record of its domains
+editor /etc/courier/dsnfrom
+editor /etc/courier/locals
+#     localhost
+#     # Remove own hostname!
+editor /etc/courier/aliases/system
+#     postmaster: |/usr/bin/couriersrs --srsdomain=DOMAIN.SRS admin@szepe.net
+courier-restart.sh
+# Allow unauthenticated SMTP traffic from this server on the smarthost
+#     editor /etc/courier/smtpaccess/default
+#         %%IP%%<TAB>allow,RELAYCLIENT,AUTH_REQUIRED=0
+
+# Receive bounce messages on the smarthost
+#     editor /etc/courier/aliases/system
+#         @HOSTNAME.TLD: LOCAL-USER
+#     editor /var/mail/DOMAIN/USER/.courier-default
+#         LOCAL-USER
+#     courier-restart.sh
+echo "This is a t3st mail."|mailx -s "[first] Subject of the 1st email" viktor@szepe.net
diff --git a/mail/smtpaccess.conf b/mail/smtpaccess.conf
index 39628a5e..214ba476 100644
--- a/mail/smtpaccess.conf
+++ b/mail/smtpaccess.conf
@@ -79,6 +79,8 @@
 85.25.38.34	allow,BLOCK
 85.25.38.35	allow,BLOCK
 85.25.38.36	allow,BLOCK
+# ATW - mail.atw.hu.
+88.151.96.10	allow,BLOCK
 
 
 # --- Other subscriptions - allow,BLOCK
diff --git a/monitoring/cron-old.sh b/monitoring/cron-old.sh
index bc4168d5..49fc4c39 100755
--- a/monitoring/cron-old.sh
+++ b/monitoring/cron-old.sh
@@ -2,16 +2,16 @@
 #
 # Alert on long-running cron jobs.
 #
-# VERSION       :0.1.0
-# DATE          :2016-02-10
+# VERSION       :0.2.0
+# DATE          :2016-04-18
 # AUTHOR        :Viktor Szépe <viktor@szepe.net>
 # URL           :https://github.com/szepeviktor/debian-server-tools
 # LICENSE       :The MIT License (MIT)
 # BASH-VERSION  :4.2+
 # LOCATION      :/usr/local/sbin/cron-old.sh
-# CRON.D        :*/5 *	* * *	root	/usr/local/sbin/cron-old.sh
+# CRON.D        :*/30 *	* * *	root	/usr/local/sbin/cron-old.sh
 
-declare -i CRON_MAX_AGE="10"
+declare -i CRON_MAX_AGE="50"
 declare -i CRON_CHILD_AGE
 
 # Oldest cron job
@@ -19,11 +19,12 @@ CRON_CHILD_PID="$(pgrep --parent $(cat /run/crond.pid) --oldest)"
 
 [ -z "$CRON_CHILD_PID" ] && exit 0
 
-# List job ages
+# List job age
 ps -o etimes= -p "$CRON_CHILD_PID" \
     | while read -r CRON_CHILD_AGE; do
         [ "$CRON_CHILD_AGE" -lt $((CRON_MAX_AGE * 60)) ] && continue
 
+        # Alert on long-running jobs
         CRON_CHILD_INFO="${CRON_CHILD_PID}:$(ps -o cmd= --ppid "$CRON_CHILD_PID")"
         echo "Cron job (${CRON_CHILD_INFO}) is running for more than ${CRON_MAX_AGE} minutes." 1>&2
     done
diff --git a/monitoring/syslog-errors-infrequent.sh b/monitoring/syslog-errors-infrequent.sh
index ac04db2f..cb82fe91 100755
--- a/monitoring/syslog-errors-infrequent.sh
+++ b/monitoring/syslog-errors-infrequent.sh
@@ -1,29 +1,26 @@
 #!/bin/bash
 #
-# Send interesting parts of syslog of the last 3 hours. Simple logcheck.
+# Send interesting parts of syslog from the last 3 hours. Simple logcheck.
 #
-# VERSION       :0.1.5
-# DATE          :2016-02-06
+# VERSION       :0.8.0
+# DATE          :2016-04-20
 # AUTHOR        :Viktor Szépe <viktor@szepe.net>
 # LICENSE       :The MIT License (MIT)
 # URL           :https://github.com/szepeviktor/debian-server-tools
 # BASH-VERSION  :4.2+
-# DEPENDS       :apt-get install libdate-manip-perl
-# DEPENDS       :cpan App:dategrep
+# DEPENDS       :apt-get install logtail
 # LOCATION      :/usr/local/sbin/syslog-errors-infrequent.sh
 # CRON.D        :17 */3	* * *	root	/usr/local/sbin/syslog-errors-infrequent.sh
 
-# Use package/dategrep-install.sh
-
 Failures() {
+    # -intERRupt,-bERRy, -WARNer, -fail2ban, -MISSy
     grep -Ei "crit|err[^uy]|warn[^e]|fail[^2]|alert|unknown|unable|miss[^y]\
 |except|disable|invalid|fault|cannot|denied|broken|exceed|unsafe|unsolicited\
 |limit reach|unhandled"
 }
 
-# Every three hours 17 minutes as in Debian cron.hourly
-/usr/local/bin/dategrep --format rsyslog --multiline \
-    --from "3 hour ago from -17:00" --to "-17:00" $(ls -tr /var/log/syslog* | tail -n 2) \
+# Search recent log entries
+logtail2 /var/log/syslog \
     | grep -F -v "$0" \
     | Failures \
     | grep -E -v "error@|spamd\[[0-9]+\]: spamd:|courierd: SHUTDOWN: respawnlo limit reached, system inactive\.$" \
@@ -33,9 +30,8 @@ Failures() {
 # Process boot log
 if [ -s /var/log/boot ] && [ "$(wc -l < /var/log/boot)" -gt 1 ]; then
     # Skip "(Nothing has been logged yet.)"
-    sed -e '1!b;/^(Nothing .*$/d' /var/log/boot \
-        | /usr/local/bin/dategrep --format "%a %b %e %H:%M:%S %Y" --multiline \
-            --from "3 hour ago from -17:00" --to "-17:00" \
+    logtail2 /var/log/boot \
+        | sed -e '1!b;/^(Nothing .*$/d' \
         | Failures
 fi
 
diff --git a/monitoring/syslog-errors.sh b/monitoring/syslog-errors.sh
index 0d809f64..2101e42e 100755
--- a/monitoring/syslog-errors.sh
+++ b/monitoring/syslog-errors.sh
@@ -1,20 +1,17 @@
 #!/bin/bash
 #
-# Send interesting parts of syslog of the last hour. Simple logcheck.
+# Send interesting parts of syslog from the last hour. Simple logcheck.
 #
-# VERSION       :0.7.5
-# DATE          :2016-01-08
+# VERSION       :0.8.0
+# DATE          :2016-04-20
 # AUTHOR        :Viktor Szépe <viktor@szepe.net>
 # LICENSE       :The MIT License (MIT)
 # URL           :https://github.com/szepeviktor/debian-server-tools
 # BASH-VERSION  :4.2+
-# DEPENDS       :apt-get install libdate-manip-perl
-# DEPENDS       :cpan App:dategrep
+# DEPENDS       :apt-get install logtail
 # LOCATION      :/usr/local/sbin/syslog-errors.sh
 # CRON-HOURLY   :/usr/local/sbin/syslog-errors.sh
 
-# Use package/dategrep-install.sh
-
 Failures() {
     # -intERRupt,-bERRy, -WARNer, -fail2ban, -MISSy
     grep -Ei "crit|err[^uy]|warn[^e]|fail[^2]|alert|unknown|unable|miss[^y]\
@@ -22,9 +19,8 @@ Failures() {
 |limit reach|unhandled"
 }
 
-# Every hour 17 minutes as in Debian cron.hourly
-/usr/local/bin/dategrep --format rsyslog --multiline \
-    --from "1 hour ago from -17:00" --to "-17:00" $(ls -tr /var/log/syslog* | tail -n 2) \
+# Search recent log entries
+logtail2 /var/log/syslog \
     | grep -F -v "$0" \
     | Failures \
     | grep -E -v "error@|spamd\[[0-9]+\]: spamd:|courierd: SHUTDOWN: respawnlo limit reached, system inactive\.$" \
@@ -34,9 +30,8 @@ Failures() {
 # Process boot log
 if [ -s /var/log/boot ] && [ "$(wc -l < /var/log/boot)" -gt 1 ]; then
     # Skip "(Nothing has been logged yet.)"
-    sed -e '1!b;/^(Nothing .*$/d' /var/log/boot \
-        | /usr/local/bin/dategrep --format "%a %b %e %H:%M:%S %Y" --multiline \
-            --from "1 hour ago from -17:00" --to "-17:00" \
+    logtail2 /var/log/boot \
+        | sed -e '1!b;/^(Nothing .*$/d' \
         | Failures
 fi
 
diff --git a/package/apt-add-repo.sh b/package/apt-add-repo.sh
index a0e30e4e..74803b66 100755
--- a/package/apt-add-repo.sh
+++ b/package/apt-add-repo.sh
@@ -14,7 +14,7 @@
 #
 #     apt-add-repo.sh nodejs percona
 
-set +e
+set -e
 
 Possible_locations() {
     cat <<-EOF
diff --git a/package/dategrep-install.sh b/package/dategrep-install.sh
index 18e4b34a..a82d023d 100755
--- a/package/dategrep-install.sh
+++ b/package/dategrep-install.sh
@@ -10,7 +10,7 @@
 # BASH-VERSION  :4.2+
 # UPSTREAM      :https://github.com/mdom/dategrep
 
-set +e
+set -e
 
 DATEGREP="/usr/local/bin/dategrep"
 DATEGREP_RELEASES="https://api.github.com/repos/mdom/dategrep/releases"
diff --git a/package/debackport.sh b/package/debackport.sh
index fb5b4faf..c81333c3 100755
--- a/package/debackport.sh
+++ b/package/debackport.sh
@@ -145,7 +145,7 @@ ok_msg "Packages are ready."
 
 ls *.deb | while read P; do
     ls --color=always -1 "$P"
-    lintian "$P"
+    lintian --info --display-info --display-experimental --pedantic --show-overrides "$P"
 done
 
 echo
diff --git a/package/pbuilder_zdkimfilter.sh b/package/pbuilder_zdkimfilter.sh
index ab47c622..6fc80422 100755
--- a/package/pbuilder_zdkimfilter.sh
+++ b/package/pbuilder_zdkimfilter.sh
@@ -8,7 +8,7 @@ PKGVERSION="1.5"
 SOURCE_URL="http://www.tana.it/sw/zdkimfilter/zdkimfilter-${PKGVERSION}.tar.gz"
 MAINTAINER="viktor@szepe.net"
 
-set +e
+set -e
 
 apt-get install -qq -y build-essential devscripts colormake pkg-config libtool checkinstall \
     courier-mta libopendkim-dev \
diff --git a/repo b/repo
index d1681027..02ecc3f4 160000
--- a/repo
+++ b/repo
@@ -1 +1 @@
-Subproject commit d1681027dec09141cd23230468aea15deb3a501f
+Subproject commit 02ecc3f4307b7dc730e80fff32f62cb05481c1ce
diff --git a/security/IPtables.md b/security/IPtables.md
new file mode 100644
index 00000000..9f9af950
--- /dev/null
+++ b/security/IPtables.md
@@ -0,0 +1,16 @@
+# IPtables rules
+
+### Log outgoing SMTP traffic of website (non-MTA) users
+
+```bash
+echo USER1 USER2 USER3 | xargs -n 1 -I %% iptables -I OUTPUT \
+    -o eth0 \
+    -m state --state NEW \
+    -p tcp -m multiport --dports 25,465,587 \
+    -m owner --uid-owner %% \
+    -j LOG --log-prefix "SMTP web: " --log-level 4 --log-uid
+iptables -nvL OUTPUT
+```
+
+Against spamming.
+@FIXME Except transactional email providers
diff --git a/security/fail2ban-conf/filter.d/courier-smtp.local b/security/fail2ban-conf/filter.d/courier-smtp.local
index 09427a6f..b9a61439 100644
--- a/security/fail2ban-conf/filter.d/courier-smtp.local
+++ b/security/fail2ban-conf/filter.d/courier-smtp.local
@@ -18,3 +18,5 @@ failregex = ^%(__prefix_line)serror,relay=<HOST>,.*: 550 User (<.*> )?unknown\.?
 
 # ? ,msg="535 Authentication required.",cmd: EHLO
 # ? ,msg="535 Authentication required.",cmd:
+
+ignoreregex = ^%(__prefix_line)serror,relay=<HOST>,from=<\S+>,to=<\S+-testing@\S">: 550 User (<.*> )?unknown\.?$
diff --git a/security/fail2ban-leanmail/leanmail.sh b/security/fail2ban-leanmail/leanmail.sh
index 9fa9ee03..4ce58148 100755
--- a/security/fail2ban-leanmail/leanmail.sh
+++ b/security/fail2ban-leanmail/leanmail.sh
@@ -2,8 +2,8 @@
 #
 # Don't send Fail2ban notification emails of IP-s with records
 #
-# VERSION       :0.2.7
-# DATE          :2015-11-24
+# VERSION       :0.2.8
+# DATE          :2016-04-19
 # AUTHOR        :Viktor Szépe <viktor@szepe.net>
 # URL           :https://github.com/szepeviktor/debian-server-tools
 # LICENSE       :The MIT License (MIT)
@@ -173,7 +173,7 @@ Update_cache() {
     CACHE_FILE_TEMP="$(mktemp "${CACHE_FILE}.XXXXXXXXXX")"
 
     # Long timeout, three tries
-    wget -q -t 3 -O "$CACHE_FILE_TEMP" "$URL" 2> /dev/null
+    wget -q -T 20 -t 3 -O "$CACHE_FILE_TEMP" "$URL" 2> /dev/null
 
     # Circumvent the case of partially downloaded file
     if [ -s "$CACHE_FILE_TEMP" ]; then
diff --git a/security/maldet b/security/maldet
new file mode 160000
index 00000000..57f574b1
--- /dev/null
+++ b/security/maldet
@@ -0,0 +1 @@
+Subproject commit 57f574b1ce869e5b965730a12f026802aab31928
diff --git a/security/myattackers-ipsets/README.md b/security/myattackers-ipsets/README.md
index f8ea3f38..13630a76 100644
--- a/security/myattackers-ipsets/README.md
+++ b/security/myattackers-ipsets/README.md
@@ -5,6 +5,7 @@ Deny traffic from dangerous networks.
 ```bash
 apt-get install -y iptables-persistent ipset ipset-persistent
 iptables -N myattackers-ipset
+
 head *.ipset | grep "^#: ip.\+" | cut -d " " -f 2- | /bin/bash
 iptables -A myattackers-ipset -j RETURN
 iptables -I INPUT -j myattackers-ipset
@@ -13,3 +14,14 @@ ipset list
 [ "$(lsb_release -sc)" == "wheezy" ] && sed -i -e "s;^IPSET=;IPSET=$(which ipset);" /etc/init.d/ipset-persistent
 /etc/init.d/ipset-persistent save
 ```
+
+Update
+
+```bash
+iptables -D INPUT -j myattackers-ipset
+iptables -F myattackers-ipset
+
+head *.ipset | grep "^#: ip.\+" | cut -d " " -f 2- | /bin/bash
+iptables -A myattackers-ipset -j RETURN
+iptables -I INPUT -j myattackers-ipset
+```
diff --git a/security/myattackers-ipsets/leonlundberg.ipset b/security/myattackers-ipsets/leonlundberg.ipset
index 65f408bb..55b9217a 100644
--- a/security/myattackers-ipsets/leonlundberg.ipset
+++ b/security/myattackers-ipsets/leonlundberg.ipset
@@ -1,6 +1,6 @@
 # AS44050 - LeonLundberg etc. !shadow net! @PIN
 #: ipset -exist restore < leonlundberg.ipset
-#: iptables -I INPUT -m set --match-set leonlundberg src -j REJECT
+#: iptables -I myattackers-ipset -m set --match-set leonlundberg src -j REJECT
 create leonlundberg hash:net family inet hashsize 256 maxelem 32
 flush leonlundberg
 add leonlundberg 188.143.232.0/24
diff --git a/security/myattackers-ipsets/lu-root.ipset b/security/myattackers-ipsets/lu-root.ipset
index ec69e8ec..a85ff294 100644
--- a/security/myattackers-ipsets/lu-root.ipset
+++ b/security/myattackers-ipsets/lu-root.ipset
@@ -1,6 +1,6 @@
 # AS5577 - LU root SA, type: HTTP
 #: ipset -exist restore < lu-root.ipset
-#: iptables -I INPUT -m set --match-set lu-root src -j REJECT
+#: iptables -I myattackers-ipset -m set --match-set lu-root src -j REJECT
 create lu-root hash:net family inet hashsize 256 maxelem 32
 flush lu-root
 add lu-root 94.242.192.0/18
diff --git a/security/myattackers-ipsets/mirtelematiki.ipset b/security/myattackers-ipsets/mirtelematiki.ipset
index a576a28c..ced28137 100644
--- a/security/myattackers-ipsets/mirtelematiki.ipset
+++ b/security/myattackers-ipsets/mirtelematiki.ipset
@@ -1,6 +1,6 @@
 # AS49335 - Mir Telematiki Ltd.
 #: ipset -exist restore < mirtelematiki.ipset
-#: iptables -I INPUT -m set --match-set mirtelematiki src -j REJECT
+#: iptables -I myattackers-ipset -m set --match-set mirtelematiki src -j REJECT
 create mirtelematiki hash:net family inet hashsize 256 maxelem 32
 flush mirtelematiki
 add mirtelematiki 141.105.64.0/21
diff --git a/security/myattackers-ipsets/shodan-io.ipset b/security/myattackers-ipsets/shodan-io.ipset
index df1c20d9..4185fc50 100644
--- a/security/myattackers-ipsets/shodan-io.ipset
+++ b/security/myattackers-ipsets/shodan-io.ipset
@@ -3,7 +3,7 @@
 #         host -t A "${S}shodan.io"
 #     done | sed -e 's;^.* \(has address\|has IPv4 address\) ;;' | sort | uniq
 #: ipset -exist restore < shodan-io.ipset
-#: iptables -I INPUT -m set --match-set shodan-io src -j REJECT
+#: iptables -I myattackers-ipset -m set --match-set shodan-io src -j REJECT
 create shodan-io hash:net family inet hashsize 256 maxelem 32
 flush shodan-io
 add shodan-io 66.240.192.138
diff --git a/security/myattackers-ipsets/sks-lugan.ipset b/security/myattackers-ipsets/sks-lugan.ipset
index 78cd98d3..c1fcad5d 100644
--- a/security/myattackers-ipsets/sks-lugan.ipset
+++ b/security/myattackers-ipsets/sks-lugan.ipset
@@ -1,6 +1,6 @@
 # AS35804 - PP SKS-LUGAN
 #: ipset -exist restore < sks-lugan.ipset
-#: iptables -I INPUT -m set --match-set sks-lugan src -j REJECT
+#: iptables -I myattackers-ipset -m set --match-set sks-lugan src -j REJECT
 create sks-lugan hash:net family inet hashsize 256 maxelem 32
 flush sks-lugan
 add sks-lugan 91.200.12.0/22
diff --git a/security/myattackers-ipsets/spidernet.ipset b/security/myattackers-ipsets/spidernet.ipset
index 534e7cf4..138474b9 100644
--- a/security/myattackers-ipsets/spidernet.ipset
+++ b/security/myattackers-ipsets/spidernet.ipset
@@ -1,6 +1,6 @@
 # AS29278 - Deninet KFT, type: HTTP,HDB2 bot,SMTP broken pipe,HTTP commands in SMTP
 #: ipset -exist restore < spidernet.ipset
-#: iptables -I INPUT -m set --match-set spidernet src -j REJECT
+#: iptables -I myattackers-ipset -m set --match-set spidernet src -j REJECT
 create spidernet hash:net family inet hashsize 256 maxelem 32
 flush spidernet
 add spidernet 217.113.54.0/24
diff --git a/tools/ip.sh b/tools/ip.sh
index 87b80ded..b3eac66a 100755
--- a/tools/ip.sh
+++ b/tools/ip.sh
@@ -1,9 +1,9 @@
 #!/bin/bash
 #
-# Print IP address
+# Print Internet facing IP address
 #
-# VERSION       :0.2.0
-# DATE          :2015-07-18
+# VERSION       :0.3.0
+# DATE          :2016-04-18
 # AUTHOR        :Viktor Szépe <viktor@szepe.net>
 # LICENSE       :The MIT License (MIT)
 # URL           :https://github.com/szepeviktor/debian-server-tools
@@ -11,9 +11,8 @@
 # LOCATION      :/usr/local/bin/ip.sh
 
 # https://help.dyn.com/remote-access-api/checkip-tool/
-#
 # <html><head><title>Current IP Check</title>        <style>
          .commit-tease,
          .user-profile-mini-avatar,
          .avatar,
          .vcard-details,
          .signup-prompt-bg {
            display: none !IMPORTANT;
          }
        </style>
         <script>
          document.addEventListener('DOMContentLoaded', function() {
            this.querySelectorAll('a').forEach(anchor => {
              anchor.addEventListener('click', e => {
                e.preventDefault();

                const redact = new URLSearchParams(window.location.search).get('redact');
                const hasExistingParams = anchor.href.includes('?');
                window.location.href = anchor.href + (hasExistingParams ? `&redact=${redact}` : `?redact=${redact}`);
              });
            });
          });
        </script>
 </head><body>Current IP Address: 123.456.78.90</body></html>
+# IP_URL="http://checkip.dyndns.com/"
+# wget -q -O- "$IP_URL" | grep -m 1 -o "[0-9.]\+"
 
-IP_URL="http://checkip.dyndns.com/"
-
-wget -q -O- "$IP_URL" | grep -m 1 -o "[0-9.]\+"
+wget -q -O- "https://api.ipify.org/"
diff --git a/virtualization/Docker.md b/virtualization/Docker.md
index b1502841..7b5f1208 100644
--- a/virtualization/Docker.md
+++ b/virtualization/Docker.md
@@ -9,38 +9,3 @@ https://docs.docker.com/engine/reference/builder/
 1. [accursoft/micro-jessie](https://bitbucket.org/accursoft/micro-debian) 38MB
 1. [alpine](http://gliderlabs.viewdocs.io/docker-alpine/) 5 MB
 
-### Package builder environment with Docker
-
-```bash
-# - Build "szepeviktor/jessie-build" image -
-#     docker build -t szepeviktor/jessie-build jessie-build
-
-
-# - Build Debian package -
-#     docker run --rm -it --user=1000 szepeviktor/jessie-build
-#     docker run --rm -it -v /opt/result --user=1000 szepeviktor/jessie-build
-
-
-# @TODO Automate in a Dockerfile !!! ENV PACKAGE=htop
-
-
-cd; read -r -e -i "testing/" -p "Distribution/Package? " DP
-WEB="https://packages.debian.org/${DP}"
-URL="$(curl -s "$WEB"|grep -o 'http://http.debian.net/debian/pool/[^"]\+\.dsc')"
-[ -z "$URL" ] || dget -ux "$URL"
-cd ${DP#*/}-*/ && dpkg-checkbuilddeps 2>&1 | cut -d: -f3- | sed 's/([^()]\+)//g'
-
-# Install dependencies
-#     docker exec --user=0 $(docker ps -q|head -n1) /bin/bash -c "apt-get install -qqy DEPENDENCIES"
-
-dpkg-buildpackage -b -uc -us || echo ERROR
-cd ../ && lintian *.deb && ls -l *.deb
-
-# Copy resulting packages
-#     docker exec $(docker ps -q|head -n1) /bin/bash -c "cd /home/debian/;tar c *.deb"|tar xv
-
-exit
-
-# Copy resulting packages II.
-#     cp -av "$(docker inspect $(docker ps -q|head -n1)|grep -A10 '"Mounts":'|grep -m1 '"Source": ".*",'|cut -d'"' -f4)" .
-```
diff --git a/virtualization/Xen.md b/virtualization/Xen.md
index f395dde8..579e7c69 100644
--- a/virtualization/Xen.md
+++ b/virtualization/Xen.md
@@ -6,6 +6,12 @@
 echo "GRUB_DISABLE_OS_PROBER=true" >> /etc/default/grub
 ```
 
-### Citrix xe-guest-utilities for Debian
+### Citrix xe-guest-utilities
 
 http://mirror.1and1.com/software/local-updates/XenServer_Tools/Linux/
+
+#### Unofficial patched version by Retrosnub
+
+[latest official packages](http://bazaar.launchpad.net/~retrosnub/+junk/xe-guest-utilities/files/head:/xe-guest-utilities/)
+
+Archive for Ubuntu: http://mirror.retrosnub.co.uk/retrosnub-xenserver-support/
diff --git a/virtualization/jessie-backport/Dockerfile b/virtualization/jessie-backport/Dockerfile
index 96c551a1..ba75c75a 100644
--- a/virtualization/jessie-backport/Dockerfile
+++ b/virtualization/jessie-backport/Dockerfile
@@ -1,6 +1,6 @@
 # szepeviktor/jessie-backport
 #
-# VERSION       0.1.0
+# VERSION       0.1.2
 # BUILD         docker build -t szepeviktor/jessie-backport jessie-backport
 # RUN           docker run --rm --tty -v $TARGET_PATH:/opt/results --env PACKAGE="$SOURCE-PACKAGE/$RELEASE" szepeviktor/jessie-backport
 
@@ -11,7 +11,8 @@ ENV DEBIAN_FRONTEND noninteractive
 
 COPY debackport.sh /usr/local/bin/debackport.sh
 
-VOLUME ["/opt/results"]
 USER debian
 WORKDIR /home/debian
+VOLUME ["/opt/results"]
+
 ENTRYPOINT ["/usr/local/bin/debackport.sh"]
diff --git a/virtualization/jessie-backport/debackport.sh b/virtualization/jessie-backport/debackport.sh
index a73fb07d..a801aa79 100755
--- a/virtualization/jessie-backport/debackport.sh
+++ b/virtualization/jessie-backport/debackport.sh
@@ -90,6 +90,6 @@ dch --bpo --distribution "${CURRENT_RELEASE}-backports" "$CHANGELOG_MSG"
 dpkg-buildpackage -us -uc
 
 cd ..
-lintian *.deb || true
+lintian --info --display-info --display-experimental --pedantic --show-overrides *.deb || true
 sudo cp -av *.deb /opt/results
 echo "OK."
diff --git a/virtualization/jessie-build/Dockerfile b/virtualization/jessie-build/Dockerfile
index ced7ec5d..d24aaf0c 100644
--- a/virtualization/jessie-build/Dockerfile
+++ b/virtualization/jessie-build/Dockerfile
@@ -1,6 +1,6 @@
 # szepeviktor/jessie-build
 #
-# VERSION       0.2.0
+# VERSION       0.2.1
 # BUILD         docker build -t szepeviktor/jessie-build jessie-build
 # RUN           docker run --rm -it -v /opt/results:/opt/results szepeviktor/jessie-build
 
@@ -8,16 +8,17 @@ FROM debian:jessie
 
 ENV LC_ALL C
 ENV DEBIAN_FRONTEND noninteractive
+
 # httpredir.debian.org won't redirect to ftp.hu.debian.org
 RUN sed -i -e 's/httpredir.debian.org/ftp.hu.debian.org/' /etc/apt/sources.list
 RUN apt-get update && apt-get -y --force-yes dist-upgrade
 
-RUN apt-get -y install sudo dialog devscripts
+RUN apt-get -y install sudo dialog devscripts wget
 RUN apt-get clean
 
 RUN adduser --disabled-password --gecos "" debian
 RUN echo 'debian  ALL=(ALL:ALL) NOPASSWD: ALL' >> /etc/sudoers
 
-VOLUME ["/opt/results"]
 USER debian
 WORKDIR /home/debian
+VOLUME ["/opt/results"]
diff --git a/virtualization/jessie-py2deb/docker-py2deb.sh b/virtualization/jessie-py2deb/docker-py2deb.sh
index 3cbbeaf0..cf474361 100755
--- a/virtualization/jessie-py2deb/docker-py2deb.sh
+++ b/virtualization/jessie-py2deb/docker-py2deb.sh
@@ -35,7 +35,7 @@ python3 /usr/bin/py2dsc-deb --with-python2=true --with-python3=true --no-python2
     --suite "$(lsb_release -s -c)" "${TARBALL:4}"
 
 if [ -d deb_dist ]; then
-    lintian --color always deb_dist/*.deb
+    lintian --color always --info --display-info --display-experimental --pedantic --show-overrides deb_dist/*.deb
     sudo cp -av deb_dist/*.deb /opt/results
     echo "OK."
 else
diff --git a/webserver/add-site.sh b/webserver/add-site.sh
index 50acbf89..8e5270b7 100644
--- a/webserver/add-site.sh
+++ b/webserver/add-site.sh
@@ -141,7 +141,7 @@ fail2ban-client set apache-instant addlogpath /var/log/apache2/${U}-ssl-error.lo
 cd /etc/cron.d/
 # See: ${D}/webserver/preload-cache.sh
 
-# Goaccess
+# Goaccess, could be a cron job also
 IP=""
 goaccess --agent-list --http-method \
     --geoip-city-data=/var/lib/geoip-database-contrib/GeoLiteCity.dat \