From 5a40d54eee37295fae92613777dbbc8a9825745f Mon Sep 17 00:00:00 2001 From: Vladimir Vitkov Date: Mon, 10 Oct 2022 10:11:28 +0300 Subject: [PATCH 1/7] add ntp configs --- etc/ntp.conf | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 etc/ntp.conf diff --git a/etc/ntp.conf b/etc/ntp.conf new file mode 100644 index 0000000..e8b9d5c --- /dev/null +++ b/etc/ntp.conf @@ -0,0 +1,42 @@ +# +# Ansible managed +# + +# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help + +driftfile /var/lib/ntp/ntp.drift + +# Enable this if you want statistics to be logged. +#statsdir /var/log/ntpstats/ + +statistics loopstats peerstats clockstats +filegen loopstats file loopstats type day enable +filegen peerstats file peerstats type day enable +filegen clockstats file clockstats type day enable + + +pool bg.pool.ntp.org minpoll 4 maxpoll 10 iburst burst +server marla.ludost.net minpoll 4 maxpoll 10 iburst burst +server tryler.ludost.net minpoll 4 maxpoll 10 iburst burst + +# hard backup +pool 2.bg.pool.ntp.org minpoll 4 maxpoll 10 iburst burst + +# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for +# details. The web page +# might also be helpful. +# +# Note that "restrict" applies to both servers and clients, so a configuration +# that might be intended to block requests from certain clients could also end +# up blocking replies from your own upstream servers. + +# By default, exchange time with everybody, but don't allow configuration. +restrict -4 default kod notrap nomodify nopeer noquery limited +restrict -6 default kod notrap nomodify nopeer noquery limited + +# Local users may interrogate the ntp server more closely. +restrict 127.0.0.1 +restrict ::1 + +# Needed for adding pool entries +restrict source notrap nomodify noquery From 431862c5e20452244667c5c8ed3f8b23a287ae2f Mon Sep 17 00:00:00 2001 From: Vladimir Vitkov Date: Mon, 10 Oct 2022 10:13:59 +0300 Subject: [PATCH 2/7] add gitconfig --- root/.gitconfig | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 root/.gitconfig diff --git a/root/.gitconfig b/root/.gitconfig new file mode 100644 index 0000000..51a1e11 --- /dev/null +++ b/root/.gitconfig @@ -0,0 +1,13 @@ +# This is Git's per-user configuration file. +[user] +# Please adapt and uncomment the following lines: + name = "OpenFest Server User" + email = core@openfest.org + +[alias] + co = checkout + ci = commit + hist = log --pretty=format:'%h %ad | %s%d [%an]' --graph --date=short + synctags = "!if [ $(git remote show | wc -l) -gt 1 ] ; then for r in $(git remote show) ; do echo \"Fetching $r ...\" ; git fetch $r ; done && git push --tags origin; fi" + vvci = commit --author='Vladimir Vitkov ' + rpci = commit --author='robotpanic ' From affe859df9c0f30482ce18334312d648157d5722 Mon Sep 17 00:00:00 2001 From: Vladimir Vitkov Date: Mon, 10 Oct 2022 10:19:00 +0300 Subject: [PATCH 3/7] fail2ban defconfig --- etc/fail2ban/fail2ban.conf | 86 ++ etc/fail2ban/jail.conf | 964 +++++++++++++++++++++++ etc/fail2ban/jail.d/defaults-debian.conf | 2 + 3 files changed, 1052 insertions(+) create mode 100644 etc/fail2ban/fail2ban.conf create mode 100644 etc/fail2ban/jail.conf create mode 100644 etc/fail2ban/jail.d/defaults-debian.conf diff --git a/etc/fail2ban/fail2ban.conf b/etc/fail2ban/fail2ban.conf new file mode 100644 index 0000000..f386783 --- /dev/null +++ b/etc/fail2ban/fail2ban.conf @@ -0,0 +1,86 @@ +# Fail2Ban main configuration file +# +# Comments: use '#' for comment lines and ';' (following a space) for inline comments +# +# Changes: in most of the cases you should not modify this +# file, but provide customizations in fail2ban.local file, e.g.: +# +# [DEFAULT] +# loglevel = DEBUG +# + +[DEFAULT] + +# Option: loglevel +# Notes.: Set the log level output. +# CRITICAL +# ERROR +# WARNING +# NOTICE +# INFO +# DEBUG +# Values: [ LEVEL ] Default: INFO +# +loglevel = INFO + +# Option: logtarget +# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT. +# Only one log target can be specified. +# If you change logtarget from the default value and you are +# using logrotate -- also adjust or disable rotation in the +# corresponding configuration file +# (e.g. /etc/logrotate.d/fail2ban on Debian systems) +# Values: [ STDOUT | STDERR | SYSLOG | SYSOUT | FILE ] Default: STDERR +# +logtarget = /var/log/fail2ban.log + +# Option: syslogsocket +# Notes: Set the syslog socket file. Only used when logtarget is SYSLOG +# auto uses platform.system() to determine predefined paths +# Values: [ auto | FILE ] Default: auto +syslogsocket = auto + +# Option: socket +# Notes.: Set the socket file. This is used to communicate with the daemon. Do +# not remove this file when Fail2ban runs. It will not be possible to +# communicate with the server afterwards. +# Values: [ FILE ] Default: /var/run/fail2ban/fail2ban.sock +# +socket = /var/run/fail2ban/fail2ban.sock + +# Option: pidfile +# Notes.: Set the PID file. This is used to store the process ID of the +# fail2ban server. +# Values: [ FILE ] Default: /var/run/fail2ban/fail2ban.pid +# +pidfile = /var/run/fail2ban/fail2ban.pid + +# Options: dbfile +# Notes.: Set the file for the fail2ban persistent data to be stored. +# A value of ":memory:" means database is only stored in memory +# and data is lost when fail2ban is stopped. +# A value of "None" disables the database. +# Values: [ None :memory: FILE ] Default: /var/lib/fail2ban/fail2ban.sqlite3 +dbfile = /var/lib/fail2ban/fail2ban.sqlite3 + +# Options: dbpurgeage +# Notes.: Sets age at which bans should be purged from the database +# Values: [ SECONDS ] Default: 86400 (24hours) +dbpurgeage = 1d + +# Options: dbmaxmatches +# Notes.: Number of matches stored in database per ticket (resolvable via +# tags / in actions) +# Values: [ INT ] Default: 10 +dbmaxmatches = 10 + +[Definition] + + +[Thread] + +# Options: stacksize +# Notes.: Specifies the stack size (in KiB) to be used for subsequently created threads, +# and must be 0 or a positive integer value of at least 32. +# Values: [ SIZE ] Default: 0 (use platform or configured default) +#stacksize = 0 diff --git a/etc/fail2ban/jail.conf b/etc/fail2ban/jail.conf new file mode 100644 index 0000000..e6961a1 --- /dev/null +++ b/etc/fail2ban/jail.conf @@ -0,0 +1,964 @@ +# +# WARNING: heavily refactored in 0.9.0 release. Please review and +# customize settings for your setup. +# +# Changes: in most of the cases you should not modify this +# file, but provide customizations in jail.local file, +# or separate .conf files under jail.d/ directory, e.g.: +# +# HOW TO ACTIVATE JAILS: +# +# YOU SHOULD NOT MODIFY THIS FILE. +# +# It will probably be overwritten or improved in a distribution update. +# +# Provide customizations in a jail.local file or a jail.d/customisation.local. +# For example to change the default bantime for all jails and to enable the +# ssh-iptables jail the following (uncommented) would appear in the .local file. +# See man 5 jail.conf for details. +# +# [DEFAULT] +# bantime = 1h +# +# [sshd] +# enabled = true +# +# See jail.conf(5) man page for more information + + + +# Comments: use '#' for comment lines and ';' (following a space) for inline comments + + +[INCLUDES] + +#before = paths-distro.conf +before = paths-debian.conf + +# The DEFAULT allows a global definition of the options. They can be overridden +# in each jail afterwards. + +[DEFAULT] + +# +# MISCELLANEOUS OPTIONS +# + +# "bantime.increment" allows to use database for searching of previously banned ip's to increase a +# default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32... +#bantime.increment = true + +# "bantime.rndtime" is the max number of seconds using for mixing with random time +# to prevent "clever" botnets calculate exact time IP can be unbanned again: +#bantime.rndtime = + +# "bantime.maxtime" is the max number of seconds using the ban time can reach (doesn't grow further) +#bantime.maxtime = + +# "bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier, +# default value of factor is 1 and with default value of formula, the ban time +# grows by 1, 2, 4, 8, 16 ... +#bantime.factor = 1 + +# "bantime.formula" used by default to calculate next value of ban time, default value below, +# the same ban time growing will be reached by multipliers 1, 2, 4, 8, 16, 32... +#bantime.formula = ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactor +# +# more aggressive example of formula has the same values only for factor "2.0 / 2.885385" : +#bantime.formula = ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor) + +# "bantime.multipliers" used to calculate next value of ban time instead of formula, coresponding +# previously ban count and given "bantime.factor" (for multipliers default is 1); +# following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban count greater as multipliers count, +# always used last multiplier (64 in example), for factor '1' and original ban time 600 - 10.6 hours +#bantime.multipliers = 1 2 4 8 16 32 64 +# following example can be used for small initial ban time (bantime=60) - it grows more aggressive at begin, +# for bantime=60 the multipliers are minutes and equal: 1 min, 5 min, 30 min, 1 hour, 5 hour, 12 hour, 1 day, 2 day +#bantime.multipliers = 1 5 30 60 300 720 1440 2880 + +# "bantime.overalljails" (if true) specifies the search of IP in the database will be executed +# cross over all jails, if false (dafault), only current jail of the ban IP will be searched +#bantime.overalljails = false + +# -------------------- + +# "ignoreself" specifies whether the local resp. own IP addresses should be ignored +# (default is true). Fail2ban will not ban a host which matches such addresses. +#ignoreself = true + +# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban +# will not ban a host which matches an address in this list. Several addresses +# can be defined using space (and/or comma) separator. +#ignoreip = 127.0.0.1/8 ::1 + +# External command that will take an tagged arguments to ignore, e.g. , +# and return true if the IP is to be ignored. False otherwise. +# +# ignorecommand = /path/to/command +ignorecommand = + +# "bantime" is the number of seconds that a host is banned. +bantime = 10m + +# A host is banned if it has generated "maxretry" during the last "findtime" +# seconds. +findtime = 10m + +# "maxretry" is the number of failures before a host get banned. +maxretry = 5 + +# "maxmatches" is the number of matches stored in ticket (resolvable via tag in actions). +maxmatches = %(maxretry)s + +# "backend" specifies the backend used to get files modification. +# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto". +# This option can be overridden in each jail as well. +# +# pyinotify: requires pyinotify (a file alteration monitor) to be installed. +# If pyinotify is not installed, Fail2ban will use auto. +# gamin: requires Gamin (a file alteration monitor) to be installed. +# If Gamin is not installed, Fail2ban will use auto. +# polling: uses a polling algorithm which does not require external libraries. +# systemd: uses systemd python library to access the systemd journal. +# Specifying "logpath" is not valid for this backend. +# See "journalmatch" in the jails associated filter config +# auto: will try to use the following backends, in order: +# pyinotify, gamin, polling. +# +# Note: if systemd backend is chosen as the default but you enable a jail +# for which logs are present only in its own log files, specify some other +# backend for that jail (e.g. polling) and provide empty value for +# journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200 +backend = auto + +# "usedns" specifies if jails should trust hostnames in logs, +# warn when DNS lookups are performed, or ignore all hostnames in logs +# +# yes: if a hostname is encountered, a DNS lookup will be performed. +# warn: if a hostname is encountered, a DNS lookup will be performed, +# but it will be logged as a warning. +# no: if a hostname is encountered, will not be used for banning, +# but it will be logged as info. +# raw: use raw value (no hostname), allow use it for no-host filters/actions (example user) +usedns = warn + +# "logencoding" specifies the encoding of the log files handled by the jail +# This is used to decode the lines from the log file. +# Typical examples: "ascii", "utf-8" +# +# auto: will use the system locale setting +logencoding = auto + +# "enabled" enables the jails. +# By default all jails are disabled, and it should stay this way. +# Enable only relevant to your setup jails in your .local or jail.d/*.conf +# +# true: jail will be enabled and log files will get monitored for changes +# false: jail is not enabled +enabled = false + + +# "mode" defines the mode of the filter (see corresponding filter implementation for more info). +mode = normal + +# "filter" defines the filter to use by the jail. +# By default jails have names matching their filter name +# +filter = %(__name__)s[mode=%(mode)s] + + +# +# ACTIONS +# + +# Some options used for actions + +# Destination email address used solely for the interpolations in +# jail.{conf,local,d/*} configuration files. +destemail = root@localhost + +# Sender email address used solely for some actions +sender = root@ + +# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the +# mailing. Change mta configuration parameter to mail if you want to +# revert to conventional 'mail'. +mta = sendmail + +# Default protocol +protocol = tcp + +# Specify chain where jumps would need to be added in ban-actions expecting parameter chain +chain = + +# Ports to be banned +# Usually should be overridden in a particular jail +port = 0:65535 + +# Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3 +fail2ban_agent = Fail2Ban/%(fail2ban_version)s + +# +# Action shortcuts. To be used to define action parameter + +# Default banning action (e.g. iptables, iptables-new, +# iptables-multiport, shorewall, etc) It is used to define +# action_* variables. Can be overridden globally or per +# section within jail.local file +banaction = iptables-multiport +banaction_allports = iptables-allports + +# The simplest action to take: ban only +action_ = %(banaction)s[port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + +# ban & send an e-mail with whois report to the destemail. +action_mw = %(action_)s + %(mta)s-whois[sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] + +# ban & send an e-mail with whois report and relevant log lines +# to the destemail. +action_mwl = %(action_)s + %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"] + +# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action +# +# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines +# to the destemail. +action_xarf = %(action_)s + xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"] + +# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines +# to the destemail. +action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] + %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"] + +# Report block via blocklist.de fail2ban reporting service API +# +# See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action. +# Specify expected parameters in file action.d/blocklist_de.local or if the interpolation +# `action_blocklist_de` used for the action, set value of `blocklist_de_apikey` +# in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in +# corresponding jail.d/my-jail.local file). +# +action_blocklist_de = blocklist_de[email="%(sender)s", service="%(__name__)s", apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"] + +# Report ban via badips.com, and use as blacklist +# +# See BadIPsAction docstring in config/action.d/badips.py for +# documentation for this action. +# +# NOTE: This action relies on banaction being present on start and therefore +# should be last action defined for a jail. +# +action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"] +# +# Report ban via badips.com (uses action.d/badips.conf for reporting only) +# +action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"] + +# Report ban via abuseipdb.com. +# +# See action.d/abuseipdb.conf for usage example and details. +# +action_abuseipdb = abuseipdb + +# Choose default action. To change, just override value of 'action' with the +# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local +# globally (section [DEFAULT]) or per specific section +action = %(action_)s + + +# +# JAILS +# + +# +# SSH servers +# + +[sshd] + +# To use more aggressive sshd modes set filter parameter "mode" in jail.local: +# normal (default), ddos, extra or aggressive (combines all). +# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details. +#mode = normal +port = ssh +logpath = %(sshd_log)s +backend = %(sshd_backend)s + + +[dropbear] + +port = ssh +logpath = %(dropbear_log)s +backend = %(dropbear_backend)s + + +[selinux-ssh] + +port = ssh +logpath = %(auditd_log)s + + +# +# HTTP servers +# + +[apache-auth] + +port = http,https +logpath = %(apache_error_log)s + + +[apache-badbots] +# Ban hosts which agent identifies spammer robots crawling the web +# for email addresses. The mail outputs are buffered. +port = http,https +logpath = %(apache_access_log)s +bantime = 48h +maxretry = 1 + + +[apache-noscript] + +port = http,https +logpath = %(apache_error_log)s + + +[apache-overflows] + +port = http,https +logpath = %(apache_error_log)s +maxretry = 2 + + +[apache-nohome] + +port = http,https +logpath = %(apache_error_log)s +maxretry = 2 + + +[apache-botsearch] + +port = http,https +logpath = %(apache_error_log)s +maxretry = 2 + + +[apache-fakegooglebot] + +port = http,https +logpath = %(apache_access_log)s +maxretry = 1 +ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot + + +[apache-modsecurity] + +port = http,https +logpath = %(apache_error_log)s +maxretry = 2 + + +[apache-shellshock] + +port = http,https +logpath = %(apache_error_log)s +maxretry = 1 + + +[openhab-auth] + +filter = openhab +banaction = %(banaction_allports)s +logpath = /opt/openhab/logs/request.log + + +[nginx-http-auth] + +port = http,https +logpath = %(nginx_error_log)s + +# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` +# and define `limit_req` and `limit_req_zone` as described in nginx documentation +# http://nginx.org/en/docs/http/ngx_http_limit_req_module.html +# or for example see in 'config/filter.d/nginx-limit-req.conf' +[nginx-limit-req] +port = http,https +logpath = %(nginx_error_log)s + +[nginx-botsearch] + +port = http,https +logpath = %(nginx_error_log)s +maxretry = 2 + + +# Ban attackers that try to use PHP's URL-fopen() functionality +# through GET/POST variables. - Experimental, with more than a year +# of usage in production environments. + +[php-url-fopen] + +port = http,https +logpath = %(nginx_access_log)s + %(apache_access_log)s + + +[suhosin] + +port = http,https +logpath = %(suhosin_log)s + + +[lighttpd-auth] +# Same as above for Apache's mod_auth +# It catches wrong authentifications +port = http,https +logpath = %(lighttpd_error_log)s + + +# +# Webmail and groupware servers +# + +[roundcube-auth] + +port = http,https +logpath = %(roundcube_errors_log)s +# Use following line in your jail.local if roundcube logs to journal. +#backend = %(syslog_backend)s + + +[openwebmail] + +port = http,https +logpath = /var/log/openwebmail.log + + +[horde] + +port = http,https +logpath = /var/log/horde/horde.log + + +[groupoffice] + +port = http,https +logpath = /home/groupoffice/log/info.log + + +[sogo-auth] +# Monitor SOGo groupware server +# without proxy this would be: +# port = 20000 +port = http,https +logpath = /var/log/sogo/sogo.log + + +[tine20] + +logpath = /var/log/tine20/tine20.log +port = http,https + + +# +# Web Applications +# +# + +[drupal-auth] + +port = http,https +logpath = %(syslog_daemon)s +backend = %(syslog_backend)s + +[guacamole] + +port = http,https +logpath = /var/log/tomcat*/catalina.out +#logpath = /var/log/guacamole.log + +[monit] +#Ban clients brute-forcing the monit gui login +port = 2812 +logpath = /var/log/monit + /var/log/monit.log + + +[webmin-auth] + +port = 10000 +logpath = %(syslog_authpriv)s +backend = %(syslog_backend)s + + +[froxlor-auth] + +port = http,https +logpath = %(syslog_authpriv)s +backend = %(syslog_backend)s + + +# +# HTTP Proxy servers +# +# + +[squid] + +port = 80,443,3128,8080 +logpath = /var/log/squid/access.log + + +[3proxy] + +port = 3128 +logpath = /var/log/3proxy.log + + +# +# FTP servers +# + + +[proftpd] + +port = ftp,ftp-data,ftps,ftps-data +logpath = %(proftpd_log)s +backend = %(proftpd_backend)s + + +[pure-ftpd] + +port = ftp,ftp-data,ftps,ftps-data +logpath = %(pureftpd_log)s +backend = %(pureftpd_backend)s + + +[gssftpd] + +port = ftp,ftp-data,ftps,ftps-data +logpath = %(syslog_daemon)s +backend = %(syslog_backend)s + + +[wuftpd] + +port = ftp,ftp-data,ftps,ftps-data +logpath = %(wuftpd_log)s +backend = %(wuftpd_backend)s + + +[vsftpd] +# or overwrite it in jails.local to be +# logpath = %(syslog_authpriv)s +# if you want to rely on PAM failed login attempts +# vsftpd's failregex should match both of those formats +port = ftp,ftp-data,ftps,ftps-data +logpath = %(vsftpd_log)s + + +# +# Mail servers +# + +# ASSP SMTP Proxy Jail +[assp] + +port = smtp,465,submission +logpath = /root/path/to/assp/logs/maillog.txt + + +[courier-smtp] + +port = smtp,465,submission +logpath = %(syslog_mail)s +backend = %(syslog_backend)s + + +[postfix] +# To use another modes set filter parameter "mode" in jail.local: +mode = more +port = smtp,465,submission +logpath = %(postfix_log)s +backend = %(postfix_backend)s + + +[postfix-rbl] + +filter = postfix[mode=rbl] +port = smtp,465,submission +logpath = %(postfix_log)s +backend = %(postfix_backend)s +maxretry = 1 + + +[sendmail-auth] + +port = submission,465,smtp +logpath = %(syslog_mail)s +backend = %(syslog_backend)s + + +[sendmail-reject] +# To use more aggressive modes set filter parameter "mode" in jail.local: +# normal (default), extra or aggressive +# See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details. +#mode = normal +port = smtp,465,submission +logpath = %(syslog_mail)s +backend = %(syslog_backend)s + + +[qmail-rbl] + +filter = qmail +port = smtp,465,submission +logpath = /service/qmail/log/main/current + + +# dovecot defaults to logging to the mail syslog facility +# but can be set by syslog_facility in the dovecot configuration. +[dovecot] + +port = pop3,pop3s,imap,imaps,submission,465,sieve +logpath = %(dovecot_log)s +backend = %(dovecot_backend)s + + +[sieve] + +port = smtp,465,submission +logpath = %(dovecot_log)s +backend = %(dovecot_backend)s + + +[solid-pop3d] + +port = pop3,pop3s +logpath = %(solidpop3d_log)s + + +[exim] +# see filter.d/exim.conf for further modes supported from filter: +#mode = normal +port = smtp,465,submission +logpath = %(exim_main_log)s + + +[exim-spam] + +port = smtp,465,submission +logpath = %(exim_main_log)s + + +[kerio] + +port = imap,smtp,imaps,465 +logpath = /opt/kerio/mailserver/store/logs/security.log + + +# +# Mail servers authenticators: might be used for smtp,ftp,imap servers, so +# all relevant ports get banned +# + +[courier-auth] + +port = smtp,465,submission,imap,imaps,pop3,pop3s +logpath = %(syslog_mail)s +backend = %(syslog_backend)s + + +[postfix-sasl] + +filter = postfix[mode=auth] +port = smtp,465,submission,imap,imaps,pop3,pop3s +# You might consider monitoring /var/log/mail.warn instead if you are +# running postfix since it would provide the same log lines at the +# "warn" level but overall at the smaller filesize. +logpath = %(postfix_log)s +backend = %(postfix_backend)s + + +[perdition] + +port = imap,imaps,pop3,pop3s +logpath = %(syslog_mail)s +backend = %(syslog_backend)s + + +[squirrelmail] + +port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks +logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log + + +[cyrus-imap] + +port = imap,imaps +logpath = %(syslog_mail)s +backend = %(syslog_backend)s + + +[uwimap-auth] + +port = imap,imaps +logpath = %(syslog_mail)s +backend = %(syslog_backend)s + + +# +# +# DNS servers +# + + +# !!! WARNING !!! +# Since UDP is connection-less protocol, spoofing of IP and imitation +# of illegal actions is way too simple. Thus enabling of this filter +# might provide an easy way for implementing a DoS against a chosen +# victim. See +# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html +# Please DO NOT USE this jail unless you know what you are doing. +# +# IMPORTANT: see filter.d/named-refused for instructions to enable logging +# This jail blocks UDP traffic for DNS requests. +# [named-refused-udp] +# +# filter = named-refused +# port = domain,953 +# protocol = udp +# logpath = /var/log/named/security.log + +# IMPORTANT: see filter.d/named-refused for instructions to enable logging +# This jail blocks TCP traffic for DNS requests. + +[named-refused] + +port = domain,953 +logpath = /var/log/named/security.log + + +[nsd] + +port = 53 +action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"] + %(default/action_)s[name=%(__name__)s-udp, protocol="udp"] +logpath = /var/log/nsd.log + + +# +# Miscellaneous +# + +[asterisk] + +port = 5060,5061 +action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"] + %(default/action_)s[name=%(__name__)s-udp, protocol="udp"] +logpath = /var/log/asterisk/messages +maxretry = 10 + + +[freeswitch] + +port = 5060,5061 +action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"] + %(default/action_)s[name=%(__name__)s-udp, protocol="udp"] +logpath = /var/log/freeswitch.log +maxretry = 10 + + +# enable adminlog; it will log to a file inside znc's directory by default. +[znc-adminlog] + +port = 6667 +logpath = /var/lib/znc/moddata/adminlog/znc.log + + +# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or +# equivalent section: +# log-warnings = 2 +# +# for syslog (daemon facility) +# [mysqld_safe] +# syslog +# +# for own logfile +# [mysqld] +# log-error=/var/log/mysqld.log +[mysqld-auth] + +port = 3306 +logpath = %(mysql_log)s +backend = %(mysql_backend)s + + +# Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf') +[mongodb-auth] +# change port when running with "--shardsvr" or "--configsvr" runtime operation +port = 27017 +logpath = /var/log/mongodb/mongodb.log + + +# Jail for more extended banning of persistent abusers +# !!! WARNINGS !!! +# 1. Make sure that your loglevel specified in fail2ban.conf/.local +# is not at DEBUG level -- which might then cause fail2ban to fall into +# an infinite loop constantly feeding itself with non-informative lines +# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days) +# to maintain entries for failed logins for sufficient amount of time +[recidive] + +logpath = /var/log/fail2ban.log +banaction = %(banaction_allports)s +bantime = 1w +findtime = 1d + + +# Generic filter for PAM. Has to be used with action which bans all +# ports such as iptables-allports, shorewall + +[pam-generic] +# pam-generic filter can be customized to monitor specific subset of 'tty's +banaction = %(banaction_allports)s +logpath = %(syslog_authpriv)s +backend = %(syslog_backend)s + + +[xinetd-fail] + +banaction = iptables-multiport-log +logpath = %(syslog_daemon)s +backend = %(syslog_backend)s +maxretry = 2 + + +# stunnel - need to set port for this +[stunnel] + +logpath = /var/log/stunnel4/stunnel.log + + +[ejabberd-auth] + +port = 5222 +logpath = /var/log/ejabberd/ejabberd.log + + +[counter-strike] + +logpath = /opt/cstrike/logs/L[0-9]*.log +tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039 +udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015 +action_ = %(default/action_)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp"] + %(default/action_)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp"] + +[softethervpn] +port = 500,4500 +protocol = udp +logpath = /usr/local/vpnserver/security_log/*/sec.log + +[gitlab] +port = http,https +logpath = /var/log/gitlab/gitlab-rails/application.log + +[grafana] +port = http,https +logpath = /var/log/grafana/grafana.log + +[bitwarden] +port = http,https +logpath = /home/*/bwdata/logs/identity/Identity/log.txt + +[centreon] +port = http,https +logpath = /var/log/centreon/login.log + +# consider low maxretry and a long bantime +# nobody except your own Nagios server should ever probe nrpe +[nagios] + +logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility +backend = %(syslog_backend)s +maxretry = 1 + + +[oracleims] +# see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above +logpath = /opt/sun/comms/messaging64/log/mail.log_current +banaction = %(banaction_allports)s + +[directadmin] +logpath = /var/log/directadmin/login.log +port = 2222 + +[portsentry] +logpath = /var/lib/portsentry/portsentry.history +maxretry = 1 + +[pass2allow-ftp] +# this pass2allow example allows FTP traffic after successful HTTP authentication +port = ftp,ftp-data,ftps,ftps-data +# knocking_url variable must be overridden to some secret value in jail.local +knocking_url = /knocking/ +filter = apache-pass[knocking_url="%(knocking_url)s"] +# access log of the website with HTTP auth +logpath = %(apache_access_log)s +blocktype = RETURN +returntype = DROP +action = %(action_)s[blocktype=%(blocktype)s, returntype=%(returntype)s, + actionstart_on_demand=false, actionrepair_on_unban=true] +bantime = 1h +maxretry = 1 +findtime = 1 + + +[murmur] +# AKA mumble-server +port = 64738 +action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"] + %(default/action_)s[name=%(__name__)s-udp, protocol="udp"] +logpath = /var/log/mumble-server/mumble-server.log + + +[screensharingd] +# For Mac OS Screen Sharing Service (VNC) +logpath = /var/log/system.log +logencoding = utf-8 + +[haproxy-http-auth] +# HAProxy by default doesn't log to file you'll need to set it up to forward +# logs to a syslog server which would then write them to disk. +# See "haproxy-http-auth" filter for a brief cautionary note when setting +# maxretry and findtime. +logpath = /var/log/haproxy.log + +[slapd] +port = ldap,ldaps +logpath = /var/log/slapd.log + +[domino-smtp] +port = smtp,ssmtp +logpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log + +[phpmyadmin-syslog] +port = http,https +logpath = %(syslog_authpriv)s +backend = %(syslog_backend)s + + +[zoneminder] +# Zoneminder HTTP/HTTPS web interface auth +# Logs auth failures to apache2 error log +port = http,https +logpath = %(apache_error_log)s + +[traefik-auth] +# to use 'traefik-auth' filter you have to configure your Traefik instance, +# see `filter.d/traefik-auth.conf` for details and service example. +port = http,https +logpath = /var/log/traefik/access.log diff --git a/etc/fail2ban/jail.d/defaults-debian.conf b/etc/fail2ban/jail.d/defaults-debian.conf new file mode 100644 index 0000000..9eb356c --- /dev/null +++ b/etc/fail2ban/jail.d/defaults-debian.conf @@ -0,0 +1,2 @@ +[sshd] +enabled = true From bd7bf3739fa62e722cda540824e276dca3a255d3 Mon Sep 17 00:00:00 2001 From: Vladimir Vitkov Date: Mon, 10 Oct 2022 10:24:04 +0300 Subject: [PATCH 4/7] add haveged --- etc/default/haveged | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 etc/default/haveged diff --git a/etc/default/haveged b/etc/default/haveged new file mode 100644 index 0000000..679e989 --- /dev/null +++ b/etc/default/haveged @@ -0,0 +1,4 @@ +# Configuration file for haveged + +# Options to pass to haveged: +#DAEMON_ARGS="" From 8c1c4f99d76c6dffd58f802cccd832aa723672a4 Mon Sep 17 00:00:00 2001 From: Vladimir Vitkov Date: Mon, 10 Oct 2022 10:42:51 +0300 Subject: [PATCH 5/7] arpwatch config --- etc/arpwatch/README | 22 +++++++++++++++++++ etc/arpwatch/bond0.20.iface | 1 + etc/arpwatch/bond0.21.iface | 1 + etc/arpwatch/bond0.22.iface | 1 + etc/arpwatch/bond0.23.iface | 1 + etc/arpwatch/bond0.25.iface | 1 + etc/arpwatch/bond0.29.iface | 1 + .../multi-user.target.wants/arpwatch.service | 1 + .../arpwatch@bond0.20.service | 1 + .../arpwatch@bond0.21.service | 1 + .../arpwatch@bond0.22.service | 1 + .../arpwatch@bond0.23.service | 1 + .../arpwatch@bond0.25.service | 1 + .../arpwatch@bond0.29.service | 1 + 14 files changed, 35 insertions(+) create mode 100644 etc/arpwatch/README create mode 100644 etc/arpwatch/bond0.20.iface create mode 100644 etc/arpwatch/bond0.21.iface create mode 100644 etc/arpwatch/bond0.22.iface create mode 100644 etc/arpwatch/bond0.23.iface create mode 100644 etc/arpwatch/bond0.25.iface create mode 100644 etc/arpwatch/bond0.29.iface create mode 120000 etc/systemd/system/multi-user.target.wants/arpwatch.service create mode 120000 etc/systemd/system/multi-user.target.wants/arpwatch@bond0.20.service create mode 120000 etc/systemd/system/multi-user.target.wants/arpwatch@bond0.21.service create mode 120000 etc/systemd/system/multi-user.target.wants/arpwatch@bond0.22.service create mode 120000 etc/systemd/system/multi-user.target.wants/arpwatch@bond0.23.service create mode 120000 etc/systemd/system/multi-user.target.wants/arpwatch@bond0.25.service create mode 120000 etc/systemd/system/multi-user.target.wants/arpwatch@bond0.29.service diff --git a/etc/arpwatch/README b/etc/arpwatch/README new file mode 100644 index 0000000..99ff7be --- /dev/null +++ b/etc/arpwatch/README @@ -0,0 +1,22 @@ +arpwatch does not support a configuration file, but the systemd unit files +shipped with Debian allow to launch arpwatch with different configurations on +each interface + +In order to do that, create a file called IFNAME.iface which contains variable +assignments in sh syntax (comments are allowed). You can use the following +variables to influence the invocation for that specific interface only: +* ARGS: overwrite the ARGS from /etc/default/arpwatch +* PCAP_FILTER: overwrite (or set) the pcap filter +* IFACE_ARGS: additional options to be passed to arpwatch + +See `man 8 arpwatch` for available arguments. Note that the -f, -i and -u +options are added by the init system and should not used. If you just want to +apply the options specified in /etc/default/arpwatch for an interface you do +not need to create a configuration file. + + +For example, if you want to send mails about arpwatch events on eth0 to +arpwatch+eth0@example.com, you can generate the configuration file using the +following command: + +echo 'IFACE_ARGS="-m arpwatch+eth0@example.com"' > /etc/arpwatch/eth0.iface diff --git a/etc/arpwatch/bond0.20.iface b/etc/arpwatch/bond0.20.iface new file mode 100644 index 0000000..1dbaf2e --- /dev/null +++ b/etc/arpwatch/bond0.20.iface @@ -0,0 +1 @@ +IFACE_ARGS="-m nukemailz" diff --git a/etc/arpwatch/bond0.21.iface b/etc/arpwatch/bond0.21.iface new file mode 100644 index 0000000..1dbaf2e --- /dev/null +++ b/etc/arpwatch/bond0.21.iface @@ -0,0 +1 @@ +IFACE_ARGS="-m nukemailz" diff --git a/etc/arpwatch/bond0.22.iface b/etc/arpwatch/bond0.22.iface new file mode 100644 index 0000000..1dbaf2e --- /dev/null +++ b/etc/arpwatch/bond0.22.iface @@ -0,0 +1 @@ +IFACE_ARGS="-m nukemailz" diff --git a/etc/arpwatch/bond0.23.iface b/etc/arpwatch/bond0.23.iface new file mode 100644 index 0000000..1dbaf2e --- /dev/null +++ b/etc/arpwatch/bond0.23.iface @@ -0,0 +1 @@ +IFACE_ARGS="-m nukemailz" diff --git a/etc/arpwatch/bond0.25.iface b/etc/arpwatch/bond0.25.iface new file mode 100644 index 0000000..1dbaf2e --- /dev/null +++ b/etc/arpwatch/bond0.25.iface @@ -0,0 +1 @@ +IFACE_ARGS="-m nukemailz" diff --git a/etc/arpwatch/bond0.29.iface b/etc/arpwatch/bond0.29.iface new file mode 100644 index 0000000..1dbaf2e --- /dev/null +++ b/etc/arpwatch/bond0.29.iface @@ -0,0 +1 @@ +IFACE_ARGS="-m nukemailz" diff --git a/etc/systemd/system/multi-user.target.wants/arpwatch.service b/etc/systemd/system/multi-user.target.wants/arpwatch.service new file mode 120000 index 0000000..71d9aca --- /dev/null +++ b/etc/systemd/system/multi-user.target.wants/arpwatch.service @@ -0,0 +1 @@ +/lib/systemd/system/arpwatch.service \ No newline at end of file diff --git a/etc/systemd/system/multi-user.target.wants/arpwatch@bond0.20.service b/etc/systemd/system/multi-user.target.wants/arpwatch@bond0.20.service new file mode 120000 index 0000000..584d81b --- /dev/null +++ b/etc/systemd/system/multi-user.target.wants/arpwatch@bond0.20.service @@ -0,0 +1 @@ +/lib/systemd/system/arpwatch@.service \ No newline at end of file diff --git a/etc/systemd/system/multi-user.target.wants/arpwatch@bond0.21.service b/etc/systemd/system/multi-user.target.wants/arpwatch@bond0.21.service new file mode 120000 index 0000000..584d81b --- /dev/null +++ b/etc/systemd/system/multi-user.target.wants/arpwatch@bond0.21.service @@ -0,0 +1 @@ +/lib/systemd/system/arpwatch@.service \ No newline at end of file diff --git a/etc/systemd/system/multi-user.target.wants/arpwatch@bond0.22.service b/etc/systemd/system/multi-user.target.wants/arpwatch@bond0.22.service new file mode 120000 index 0000000..584d81b --- /dev/null +++ b/etc/systemd/system/multi-user.target.wants/arpwatch@bond0.22.service @@ -0,0 +1 @@ +/lib/systemd/system/arpwatch@.service \ No newline at end of file diff --git a/etc/systemd/system/multi-user.target.wants/arpwatch@bond0.23.service b/etc/systemd/system/multi-user.target.wants/arpwatch@bond0.23.service new file mode 120000 index 0000000..584d81b --- /dev/null +++ b/etc/systemd/system/multi-user.target.wants/arpwatch@bond0.23.service @@ -0,0 +1 @@ +/lib/systemd/system/arpwatch@.service \ No newline at end of file diff --git a/etc/systemd/system/multi-user.target.wants/arpwatch@bond0.25.service b/etc/systemd/system/multi-user.target.wants/arpwatch@bond0.25.service new file mode 120000 index 0000000..584d81b --- /dev/null +++ b/etc/systemd/system/multi-user.target.wants/arpwatch@bond0.25.service @@ -0,0 +1 @@ +/lib/systemd/system/arpwatch@.service \ No newline at end of file diff --git a/etc/systemd/system/multi-user.target.wants/arpwatch@bond0.29.service b/etc/systemd/system/multi-user.target.wants/arpwatch@bond0.29.service new file mode 120000 index 0000000..584d81b --- /dev/null +++ b/etc/systemd/system/multi-user.target.wants/arpwatch@bond0.29.service @@ -0,0 +1 @@ +/lib/systemd/system/arpwatch@.service \ No newline at end of file From d262083d8174e5212b168e09e9533c68ae3d9e7c Mon Sep 17 00:00:00 2001 From: Vladimir Vitkov Date: Mon, 10 Oct 2022 10:53:40 +0300 Subject: [PATCH 6/7] add aliases for arpwatch --- etc/aliases | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 etc/aliases diff --git a/etc/aliases b/etc/aliases new file mode 100644 index 0000000..c3d5b9a --- /dev/null +++ b/etc/aliases @@ -0,0 +1,15 @@ +# /etc/aliases +mailer-daemon: postmaster +postmaster: root +nobody: root +hostmaster: root +usenet: root +news: root +webmaster: root +www: root +ftp: root +abuse: root +noc: root +security: root +root: kalin +nukemailz: /opt/syslog/arpwatch-mails.log From 65acd19fe39ae8faf716aa97d0a3b424e81af0e0 Mon Sep 17 00:00:00 2001 From: Vladimir Vitkov Date: Mon, 10 Oct 2022 11:11:41 +0300 Subject: [PATCH 7/7] unbound --- etc/unbound/.gitignore | 1 + etc/unbound/unbound.conf | 591 ++++++++++++++++++ etc/unbound/unbound.conf.d/local-hosts.conf | 84 +++ .../root-auto-trust-anchor-file.conf | 4 + etc/unbound/unbound_control.pem | 22 + etc/unbound/unbound_server.pem | 22 + 6 files changed, 724 insertions(+) create mode 100644 etc/unbound/.gitignore create mode 100644 etc/unbound/unbound.conf create mode 100644 etc/unbound/unbound.conf.d/local-hosts.conf create mode 100644 etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf create mode 100644 etc/unbound/unbound_control.pem create mode 100644 etc/unbound/unbound_server.pem diff --git a/etc/unbound/.gitignore b/etc/unbound/.gitignore new file mode 100644 index 0000000..c996e50 --- /dev/null +++ b/etc/unbound/.gitignore @@ -0,0 +1 @@ +*.key diff --git a/etc/unbound/unbound.conf b/etc/unbound/unbound.conf new file mode 100644 index 0000000..de4c696 --- /dev/null +++ b/etc/unbound/unbound.conf @@ -0,0 +1,591 @@ +#Use this to include other text into the file. +#include: "otherfile.conf" + +# The server clause sets the main parameters. +server: + # whitespace is not necessary, but looks cleaner. + + # verbosity number, 0 is least verbose. 1 is default. + verbosity: 1 + + # print statistics to the log (for every thread) every N seconds. + # Set to "" or 0 to disable. Default is disabled. + # statistics-interval: 0 + + # enable cumulative statistics, without clearing them after printing. + # statistics-cumulative: no + + # enable extended statistics (query types, answer codes, status) + # printed from unbound-control. default off, because of speed. + # extended-statistics: no + + # number of threads to create. 1 disables threading. + # num-threads: 1 + + # specify the interfaces to answer queries from by ip-address. + # The default is to listen to localhost (127.0.0.1 and ::1). + # specify 0.0.0.0 and ::0 to bind to all available interfaces. + # specify every interface[@port] on a new 'interface:' labelled line. + # The listen interfaces are not changed on reload, only on restart. + # interface: 192.0.2.153 + # interface: 192.0.2.154 + # interface: 192.0.2.154@5003 + # interface: 2001:DB8::5 + interface: 0.0.0.0 + interface: ::0 + + # enable this feature to copy the source address of queries to reply. + # Socket options are not supported on all platforms. experimental. + interface-automatic: no + + # port to answer queries from + # port: 53 + + # specify the interfaces to send outgoing queries to authoritative + # server from by ip-address. If none, the default (all) interface + # is used. Specify every interface on a 'outgoing-interface:' line. + # outgoing-interface: 192.0.2.153 + # outgoing-interface: 2001:DB8::5 + # outgoing-interface: 2001:DB8::6 + + # number of ports to allocate per thread, determines the size of the + # port range that can be open simultaneously. About double the + # num-queries-per-thread, or, use as many as the OS will allow you. + # outgoing-range: 4096 + + # permit unbound to use this port number or port range for + # making outgoing queries, using an outgoing interface. + # outgoing-port-permit: 32768 + + # deny unbound the use this of port number or port range for + # making outgoing queries, using an outgoing interface. + # Use this to make sure unbound does not grab a UDP port that some + # other server on this computer needs. The default is to avoid + # IANA-assigned port numbers. + # If multiple outgoing-port-permit and outgoing-port-avoid options + # are present, they are processed in order. + # outgoing-port-avoid: "3200-3208" + + # number of outgoing simultaneous tcp buffers to hold per thread. + # outgoing-num-tcp: 10 + + # number of incoming simultaneous tcp buffers to hold per thread. + # incoming-num-tcp: 10 + + # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). + # 0 is system default. Use 4m to catch query spikes for busy servers. + # so-rcvbuf: 0 + + # buffer size for UDP port 53 outgoing (SO_SNDBUF socket option). + # 0 is system default. Use 4m to handle spikes on very busy servers. + # so-sndbuf: 0 + + # on Linux(3.9+) use SO_REUSEPORT to distribute queries over threads. + # so-reuseport: no + + # EDNS reassembly buffer to advertise to UDP peers (the actual buffer + # is set with msg-buffer-size). 1480 can solve fragmentation (timeouts). + # edns-buffer-size: 4096 + + # Maximum UDP response size (not applied to TCP response). + # Suggested values are 512 to 4096. Default is 4096. 65536 disables it. + # max-udp-size: 4096 + + # buffer size for handling DNS data. No messages larger than this + # size can be sent or received, by UDP or TCP. In bytes. + # msg-buffer-size: 65552 + + # the amount of memory to use for the message cache. + # plain value in bytes or you can append k, m or G. default is "4Mb". + # msg-cache-size: 4m + + # the number of slabs to use for the message cache. + # the number of slabs must be a power of 2. + # more slabs reduce lock contention, but fragment memory usage. + # msg-cache-slabs: 4 + + # the number of queries that a thread gets to service. + # num-queries-per-thread: 1024 + + # if very busy, 50% queries run to completion, 50% get timeout in msec + # jostle-timeout: 200 + + # msec to wait before close of port on timeout UDP. 0 disables. + # delay-close: 0 + + # the amount of memory to use for the RRset cache. + # plain value in bytes or you can append k, m or G. default is "4Mb". + # rrset-cache-size: 4m + + # the number of slabs to use for the RRset cache. + # the number of slabs must be a power of 2. + # more slabs reduce lock contention, but fragment memory usage. + # rrset-cache-slabs: 4 + + # the time to live (TTL) value lower bound, in seconds. Default 0. + # If more than an hour could easily give trouble due to stale data. + # cache-min-ttl: 0 + + # the time to live (TTL) value cap for RRsets and messages in the + # cache. Items are not cached for longer. In seconds. + # cache-max-ttl: 86400 + + # the time to live (TTL) value for cached roundtrip times, lameness and + # EDNS version information for hosts. In seconds. + # infra-host-ttl: 900 + + # the number of slabs to use for the Infrastructure cache. + # the number of slabs must be a power of 2. + # more slabs reduce lock contention, but fragment memory usage. + # infra-cache-slabs: 4 + + # the maximum number of hosts that are cached (roundtrip, EDNS, lame). + # infra-cache-numhosts: 10000 + + # Enable IPv4, "yes" or "no". + # do-ip4: yes + + # Enable IPv6, "yes" or "no". + # do-ip6: yes + + # Enable UDP, "yes" or "no". + # do-udp: yes + + # Enable TCP, "yes" or "no". + # do-tcp: yes + + # upstream connections use TCP only (and no UDP), "yes" or "no" + # useful for tunneling scenarios, default no. + # tcp-upstream: no + + # Detach from the terminal, run in background, "yes" or "no". + # do-daemonize: yes + + # control which clients are allowed to make (recursive) queries + # to this server. Specify classless netblocks with /size and action. + # By default everything is refused, except for localhost. + # Choose deny (drop message), refuse (polite error reply), + # allow (recursive ok), allow_snoop (recursive and nonrecursive ok) + # deny_non_local (drop queries unless can be answered from local-data) + # refuse_non_local (like deny_non_local but polite error reply). + access-control: 0.0.0.0/0 refuse + access-control: 127.0.0.0/8 allow + access-control: 10.20.0.0/8 allow + access-control: 192.168.0.0/16 allow + access-control: ::0/0 refuse + access-control: ::1 allow + access-control: ::ffff:127.0.0.1 allow + access-control: 2001:67c:21bc:30::/60 allow + + # if given, a chroot(2) is done to the given directory. + # i.e. you can chroot to the working directory, for example, + # for extra security, but make sure all files are in that directory. + # + # If chroot is enabled, you should pass the configfile (from the + # commandline) as a full path from the original root. After the + # chroot has been performed the now defunct portion of the config + # file path is removed to be able to reread the config after a reload. + # + # All other file paths (working dir, logfile, roothints, and + # key files) can be specified in several ways: + # o as an absolute path relative to the new root. + # o as a relative path to the working directory. + # o as an absolute path relative to the original root. + # In the last case the path is adjusted to remove the unused portion. + # + # The pid file can be absolute and outside of the chroot, it is + # written just prior to performing the chroot and dropping permissions. + # + # Additionally, unbound may need to access /dev/random (for entropy). + # How to do this is specific to your OS. + # + # If you give "" no chroot is performed. The path must not end in a /. + # chroot: "/etc/unbound" + + # if given, user privileges are dropped (after binding port), + # and the given username is assumed. Default is user "unbound". + # If you give "" no privileges are dropped. + # username: "unbound" + + # the working directory. The relative files in this config are + # relative to this directory. If you give "" the working directory + # is not changed. + # directory: "/etc/unbound" + + # the log file, "" means log to stderr. + # Use of this option sets use-syslog to "no". + # logfile: "" + + # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to + # log to, with identity "unbound". If yes, it overrides the logfile. + # use-syslog: yes + + # print UTC timestamp in ascii to logfile, default is epoch in seconds. + # log-time-ascii: no + + # print one line with time, IP, name, type, class for every query. + # log-queries: no + + # the pid file. Can be an absolute path outside of chroot/work dir. + # pidfile: "/etc/unbound/unbound.pid" + + # file to read root hints from. + # get one from ftp://FTP.INTERNIC.NET/domain/named.cache + # root-hints: "" + + # enable to not answer id.server and hostname.bind queries. + # hide-identity: no + + # enable to not answer version.server and version.bind queries. + # hide-version: no + + # the identity to report. Leave "" or default to return hostname. + # identity: "" + + # the version to report. Leave "" or default to return package version. + # version: "" + + # the target fetch policy. + # series of integers describing the policy per dependency depth. + # The number of values in the list determines the maximum dependency + # depth the recursor will pursue before giving up. Each integer means: + # -1 : fetch all targets opportunistically, + # 0: fetch on demand, + # positive value: fetch that many targets opportunistically. + # Enclose the list of numbers between quotes (""). + # target-fetch-policy: "3 2 1 0 0" + + # Harden against very small EDNS buffer sizes. + harden-short-bufsize: yes + + # Harden against unseemly large queries. + harden-large-queries: yes + + # Harden against out of zone rrsets, to avoid spoofing attempts. + harden-glue: yes + + # Harden against receiving dnssec-stripped data. If you turn it + # off, failing to validate dnskey data for a trustanchor will + # trigger insecure mode for that zone (like without a trustanchor). + # Default on, which insists on dnssec data for trust-anchored zones. + # harden-dnssec-stripped: yes + + # Harden against queries that fall under dnssec-signed nxdomain names. + # harden-below-nxdomain: no + + # Harden the referral path by performing additional queries for + # infrastructure data. Validates the replies (if possible). + # Default off, because the lookups burden the server. Experimental + # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. + # harden-referral-path: no + + # Use 0x20-encoded random bits in the query to foil spoof attempts. + # This feature is an experimental implementation of draft dns-0x20. + # use-caps-for-id: no + + # Enforce privacy of these addresses. Strips them away from answers. + # It may cause DNSSEC validation to additionally mark it as bogus. + # Protects against 'DNS Rebinding' (uses browser as network proxy). + # Only 'private-domain' and 'local-data' names are allowed to have + # these private addresses. No default. + # private-address: 10.0.0.0/8 + # private-address: 172.16.0.0/12 + # private-address: 192.168.0.0/16 + # private-address: 169.254.0.0/16 + # private-address: fd00::/8 + # private-address: fe80::/10 + + # Allow the domain (and its subdomains) to contain private addresses. + # local-data statements are allowed to contain private addresses too. + # private-domain: "example.com" + + # If nonzero, unwanted replies are not only reported in statistics, + # but also a running total is kept per thread. If it reaches the + # threshold, a warning is printed and a defensive action is taken, + # the cache is cleared to flush potential poison out of it. + # A suggested value is 10000000, the default is 0 (turned off). + # unwanted-reply-threshold: 0 + + # Do not query the following addresses. No DNS queries are sent there. + # List one address per entry. List classless netblocks with /size, + # do-not-query-address: 127.0.0.1/8 + # do-not-query-address: ::1 + + # if yes, the above default do-not-query-address entries are present. + # if no, localhost can be queried (for testing and debugging). + # do-not-query-localhost: yes + + # if yes, perform prefetching of almost expired message cache entries. + # prefetch: no + + # if yes, perform key lookups adjacent to normal lookups. + # prefetch-key: no + + # if yes, Unbound rotates RRSet order in response. + # rrset-roundrobin: no + + # if yes, Unbound doesn't insert authority/additional sections + # into response messages when those sections are not required. + minimal-responses: yes + + # module configuration of the server. A string with identifiers + # separated by spaces. "iterator" or "validator iterator" + # module-config: "validator iterator" + + # File with trusted keys, kept uptodate using RFC5011 probes, + # initial file like trust-anchor-file, then it stores metadata. + # Use several entries, one per domain name, to track multiple zones. + # + # If you want to perform DNSSEC validation, run unbound-anchor before + # you start unbound (i.e. in the system boot scripts). And enable: + # Please note usage of unbound-anchor root anchor is at your own risk + # and under the terms of our LICENSE (see that file in the source). + # auto-trust-anchor-file: "/etc/unbound/root.key" + + # File with DLV trusted keys. Same format as trust-anchor-file. + # There can be only one DLV configured, it is trusted from root down. + # Download http://ftp.isc.org/www/dlv/dlv.isc.org.key + # dlv-anchor-file: "dlv.isc.org.key" + + # File with trusted keys for validation. Specify more than one file + # with several entries, one file per entry. + # Zone file format, with DS and DNSKEY entries. + # Note this gets out of date, use auto-trust-anchor-file please. + # trust-anchor-file: "" + + # Trusted key for validation. DS or DNSKEY. specify the RR on a + # single line, surrounded by "". TTL is ignored. class is IN default. + # Note this gets out of date, use auto-trust-anchor-file please. + # (These examples are from August 2007 and may not be valid anymore). + # trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ==" + # trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A" + + # File with trusted keys for validation. Specify more than one file + # with several entries, one file per entry. Like trust-anchor-file + # but has a different file format. Format is BIND-9 style format, + # the trusted-keys { name flag proto algo "key"; }; clauses are read. + # you need external update procedures to track changes in keys. + # trusted-keys-file: "" + + # Ignore chain of trust. Domain is treated as insecure. + # domain-insecure: "example.com" + + # Override the date for validation with a specific fixed date. + # Do not set this unless you are debugging signature inception + # and expiration. "" or "0" turns the feature off. -1 ignores date. + # val-override-date: "" + + # The time to live for bogus data, rrsets and messages. This avoids + # some of the revalidation, until the time interval expires. in secs. + # val-bogus-ttl: 60 + + # The signature inception and expiration dates are allowed to be off + # by 10% of the signature lifetime (expir-incep) from our local clock. + # This leeway is capped with a minimum and a maximum. In seconds. + # val-sig-skew-min: 3600 + # val-sig-skew-max: 86400 + + # Should additional section of secure message also be kept clean of + # unsecure data. Useful to shield the users of this validator from + # potential bogus data in the additional section. All unsigned data + # in the additional section is removed from secure messages. + # val-clean-additional: yes + + # Turn permissive mode on to permit bogus messages. Thus, messages + # for which security checks failed will be returned to clients, + # instead of SERVFAIL. It still performs the security checks, which + # result in interesting log files and possibly the AD bit in + # replies if the message is found secure. The default is off. + # val-permissive-mode: no + + # Ignore the CD flag in incoming queries and refuse them bogus data. + # Enable it if the only clients of unbound are legacy servers (w2008) + # that set CD but cannot validate themselves. + # ignore-cd-flag: no + + # Have the validator log failed validations for your diagnosis. + # 0: off. 1: A line per failed user query. 2: With reason and bad IP. + # val-log-level: 0 + + # It is possible to configure NSEC3 maximum iteration counts per + # keysize. Keep this table very short, as linear search is done. + # A message with an NSEC3 with larger count is marked insecure. + # List in ascending order the keysize and count values. + # val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500" + + # instruct the auto-trust-anchor-file probing to add anchors after ttl. + # add-holddown: 2592000 # 30 days + + # instruct the auto-trust-anchor-file probing to del anchors after ttl. + # del-holddown: 2592000 # 30 days + + # auto-trust-anchor-file probing removes missing anchors after ttl. + # If the value 0 is given, missing anchors are not removed. + # keep-missing: 31622400 # 366 days + + # the amount of memory to use for the key cache. + # plain value in bytes or you can append k, m or G. default is "4Mb". + # key-cache-size: 4m + + # the number of slabs to use for the key cache. + # the number of slabs must be a power of 2. + # more slabs reduce lock contention, but fragment memory usage. + # key-cache-slabs: 4 + + # the amount of memory to use for the negative cache (used for DLV). + # plain value in bytes or you can append k, m or G. default is "1Mb". + # neg-cache-size: 1m + + # By default, for a number of zones a small default 'nothing here' + # reply is built-in. Query traffic is thus blocked. If you + # wish to serve such zone you can unblock them by uncommenting one + # of the nodefault statements below. + # You may also have to use domain-insecure: zone to make DNSSEC work, + # unless you have your own trust anchors for this zone. + # local-zone: "localhost." nodefault + # local-zone: "127.in-addr.arpa." nodefault + # local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault + # local-zone: "10.in-addr.arpa." nodefault + # local-zone: "16.172.in-addr.arpa." nodefault + # local-zone: "17.172.in-addr.arpa." nodefault + # local-zone: "18.172.in-addr.arpa." nodefault + # local-zone: "19.172.in-addr.arpa." nodefault + # local-zone: "20.172.in-addr.arpa." nodefault + # local-zone: "21.172.in-addr.arpa." nodefault + # local-zone: "22.172.in-addr.arpa." nodefault + # local-zone: "23.172.in-addr.arpa." nodefault + # local-zone: "24.172.in-addr.arpa." nodefault + # local-zone: "25.172.in-addr.arpa." nodefault + # local-zone: "26.172.in-addr.arpa." nodefault + # local-zone: "27.172.in-addr.arpa." nodefault + # local-zone: "28.172.in-addr.arpa." nodefault + # local-zone: "29.172.in-addr.arpa." nodefault + # local-zone: "30.172.in-addr.arpa." nodefault + # local-zone: "31.172.in-addr.arpa." nodefault + # local-zone: "168.192.in-addr.arpa." nodefault + # local-zone: "0.in-addr.arpa." nodefault + # local-zone: "254.169.in-addr.arpa." nodefault + # local-zone: "2.0.192.in-addr.arpa." nodefault + # local-zone: "100.51.198.in-addr.arpa." nodefault + # local-zone: "113.0.203.in-addr.arpa." nodefault + # local-zone: "255.255.255.255.in-addr.arpa." nodefault + # local-zone: "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault + # local-zone: "d.f.ip6.arpa." nodefault + # local-zone: "8.e.f.ip6.arpa." nodefault + # local-zone: "9.e.f.ip6.arpa." nodefault + # local-zone: "a.e.f.ip6.arpa." nodefault + # local-zone: "b.e.f.ip6.arpa." nodefault + # local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault + + # a number of locally served zones can be configured. + # local-zone: + # local-data: "" + # o deny serves local data (if any), else, drops queries. + # o refuse serves local data (if any), else, replies with error. + # o static serves local data, else, nxdomain or nodata answer. + # o transparent gives local data, but resolves normally for other names + # o redirect serves the zone data for any subdomain in the zone. + # o nodefault can be used to normally resolve AS112 zones. + # o typetransparent resolves normally for other types and other names + # + # defaults are localhost address, reverse for 127.0.0.1 and ::1 + # and nxdomain for AS112 zones. If you configure one of these zones + # the default content is omitted, or you can omit it with 'nodefault'. + # + # If you configure local-data without specifying local-zone, by + # default a transparent local-zone is created for the data. + # + # You can add locally served data with + # local-zone: "local." static + # local-data: "mycomputer.local. IN A 192.0.2.51" + # local-data: 'mytext.local TXT "content of text record"' + # + # You can override certain queries with + # local-data: "adserver.example.com A 127.0.0.1" + # + # You can redirect a domain to a fixed address with + # (this makes example.com, www.example.com, etc, all go to 192.0.2.3) + # local-zone: "example.com" redirect + # local-data: "example.com A 192.0.2.3" + # + # Shorthand to make PTR records, "IPv4 name" or "IPv6 name". + # You can also add PTR records using local-data directly, but then + # you need to do the reverse notation yourself. + # local-data-ptr: "192.0.2.3 www.example.com" + + # service clients over SSL (on the TCP sockets), with plain DNS inside + # the SSL stream. Give the certificate to use and private key. + # default is "" (disabled). requires restart to take effect. + # ssl-service-key: "path/to/privatekeyfile.key" + # ssl-service-pem: "path/to/publiccertfile.pem" + # ssl-port: 443 + + # request upstream over SSL (with plain DNS inside the SSL stream). + # Default is no. Can be turned on and off with unbound-control. + # ssl-upstream: no + +# Python config section. To enable: +# o use --with-pythonmodule to configure before compiling. +# o list python in the module-config string (above) to enable. +# o and give a python-script to run. +python: + # Script file to load + # python-script: "/etc/unbound/ubmodule-tst.py" + +# Remote control config section. +remote-control: + # Enable remote control with unbound-control(8) here. + # set up the keys and certificates with unbound-control-setup. + control-enable: yes + + # what interfaces are listened to for remote control. + # give 0.0.0.0 and ::0 to listen to all interfaces. + # control-interface: 127.0.0.1 + # control-interface: ::1 + + # port number for remote control operations. + control-port: 8953 + + # unbound server key file. + # server-key-file: "/etc/unbound/unbound_server.key" + + # unbound server certificate file. + # server-cert-file: "/etc/unbound/unbound_server.pem" + + # unbound-control key file. + # control-key-file: "/etc/unbound/unbound_control.key" + + # unbound-control certificate file. + # control-cert-file: "/etc/unbound/unbound_control.pem" + +# Stub zones. +# Create entries like below, to make all queries for 'example.com' and +# 'example.org' go to the given list of nameservers. list zero or more +# nameservers by hostname or by ipaddress. If you set stub-prime to yes, +# the list is treated as priming hints (default is no). +# With stub-first yes, it attempts without the stub if it fails. +# stub-zone: +# name: "example.com" +# stub-addr: 192.0.2.68 +# stub-prime: no +# stub-first: no +# stub-zone: +# name: "example.org" +# stub-host: ns.example.com. + +# Forward zones +# Create entries like below, to make all queries for 'example.com' and +# 'example.org' go to the given list of servers. These servers have to handle +# recursion to other nameservers. List zero or more nameservers by hostname +# or by ipaddress. Use an entry with name "." to forward all queries. +# If you enable forward-first, it attempts without the forward if it fails. +# forward-zone: +# name: "example.com" +# forward-addr: 192.0.2.68 +# forward-addr: 192.0.2.73@5355 # forward to port 5355. +# forward-first: no +# forward-zone: +# name: "example.org" +# forward-host: fwd.example.com + +include: "/etc/unbound/unbound.conf.d/*.conf" diff --git a/etc/unbound/unbound.conf.d/local-hosts.conf b/etc/unbound/unbound.conf.d/local-hosts.conf new file mode 100644 index 0000000..f726ac0 --- /dev/null +++ b/etc/unbound/unbound.conf.d/local-hosts.conf @@ -0,0 +1,84 @@ +server: + # servers + local-data: "vin 30 in a 10.20.0.1" + local-data-ptr: "10.20.0.1 30 vin" + + # switches + local-data: "coresw 30 in a 10.20.0.11" + local-data-ptr: "10.20.0.11 30 coresw" + + local-data: "f0sw 30 in a 10.20.0.15" + local-data-ptr: "10.20.0.15 30 f0sw" + + local-data: "nocsw 30 in a 10.20.0.28" + local-data-ptr: "10.20.0.28 30 nocsw" + + local-data: "receptionsw 30 in a 10.20.0.25" + local-data-ptr: "10.20.0.25 30 receptionsw" + + local-data: "teamsw 30 in a 10.20.0.26" + local-data-ptr: "10.20.0.26 30 teamsw" + + local-data: "vocsw-a 30 in a 10.20.0.21" + local-data-ptr: "10.20.0.21 30 vocsw-a" + + local-data: "vocsw-b 30 in a 10.20.0.22" + local-data-ptr: "10.20.0.22 30 vocsw-b" + + # AP + local-data: "ap-cf-f-l 30 in a 10.20.0.50" + local-data-ptr: "10.20.0.50 30 ap-cf-f-l" + + local-data: "ap-cf-f-r 30 in a 10.20.0.51" + local-data-ptr: "10.20.0.51 30 ap-cf-f-r" + + local-data: "ap-cf-a1 30 in a 10.20.0.52" + local-data-ptr: "10.20.0.52 30 ap-cf-a1" + + local-data: "ap-cf-a2 30 in a 10.20.0.53" + local-data-ptr: "10.20.0.53 30 ap-cf-a2" + + local-data: "ap-cf-b1 30 in a 10.20.0.54" + local-data-ptr: "10.20.0.54 30 ap-cf-b1" + + local-data: "ap-cf-srv 30 in a 10.20.0.55" + local-data-ptr: "10.20.0.55 30 ap-cf-srv" + + local-data: "ap-cf-c1 30 in a 10.20.0.56" + local-data-ptr: "10.20.0.56 30 ap-cf-c1" + + local-data: "ap-cf-ch 30 in a 10.20.0.58" + local-data-ptr: "10.20.0.58 30 ap-cf-ch" + + local-data: "ap-cf-qws 30 in a 10.20.0.59" + local-data-ptr: "10.20.0.59 30 ap-cf-qws" + + local-data: "ap-ws-ws1 30 in a 10.20.0.60" + local-data-ptr: "10.20.0.60 30 ap-ws-ws1" + + local-data: "ap-ws-ws2 30 in a 10.20.0.61" + local-data-ptr: "10.20.0.61 30 ap-ws-ws2" + + local-data: "ap-ws-noc 30 in a 10.20.0.62" + local-data-ptr: "10.20.0.62 30 ap-ws-noc" + + local-data: "ap-spare-1 30 in a 10.20.0.63" + local-data-ptr: "10.20.0.63 30 ap-spare-1" + + local-data: "ap-spare-2 30 in a 10.20.0.64" + local-data-ptr: "10.20.0.64 30 ap-spare-2" + + local-data: "ap-spare-3 30 in a 10.20.0.65" + local-data-ptr: "10.20.0.65 30 ap-spare-3" + + local-data: "scaler-A 30 in a 10.23.0.6" + local-data-ptr: "10.23.0.6 30 scaler-A" + + local-data: "tv-1 30 in a 10.24.0.11" + local-data-ptr: "10.24.0.11 30 tv-1" + + local-data: "tv-2 30 in a 10.24.0.12" + local-data-ptr: "10.24.0.12 30 tv-2" + + local-data: "printer-1 30 in a 10.25.0.11" + local-data-ptr: "10.25.0.11 30 printer-1" diff --git a/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf b/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf new file mode 100644 index 0000000..433eff9 --- /dev/null +++ b/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf @@ -0,0 +1,4 @@ +server: + # The following line will configure unbound to perform cryptographic + # DNSSEC validation using the root trust anchor. + auto-trust-anchor-file: "/var/lib/unbound/root.key" diff --git a/etc/unbound/unbound_control.pem b/etc/unbound/unbound_control.pem new file mode 100644 index 0000000..2546a47 --- /dev/null +++ b/etc/unbound/unbound_control.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDqDCCAhACCQCEdK4gfnegHjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAd1 +bmJvdW5kMB4XDTE5MTAwNjA4MjIwNVoXDTM5MDYyMzA4MjIwNVowGjEYMBYGA1UE +AwwPdW5ib3VuZC1jb250cm9sMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKC +AYEAvcaWmhz+fWYV61/2Z5enMLyDIQbWdOY2OMSv+YfnbNJp6odY49fHgy95vcaX +E/f6F0S6CPAuHVXvG1FdEi5ITbKq7bvsPpfIr+ecmVQOETfGBheC8hD2PFlJ86xi +mYRV02b3AdNzWwGy0NcYdV4W2d2l0t8Pd84sMNFQXZExjxRVgus9ZUcX7rkNu0qf +wQDJvUogmaj5xNQm64MEWrT3SLWEF/Hu8WmI+kIcMgf22DBwK9irYTOrnuRa2Twb +LJa2rZk2/WyJcglt1QlwNnJDTpp5bPMIALCcIztHbeKBVzXksbmz6O5ef2f9T4Qs +1kpUDC5bQph3droJVtTbSzonmuRzeFSJ0cWjJeCdaY9HGw/es0eWfdsumQxbKHxK +I6iKF1maKQX0mx1MlrrPjSRlEIFSALwgpLZHIF1dwnUR4q+d8Z6YvqcfqnZwHDtE +a78UUW6FdkE+DbwSlKl4P2jt61l2QBU9SIeXQmGPt3FoDwmJgdN+7i/wNuKVRPgp +q5DLAgMBAAEwDQYJKoZIhvcNAQELBQADggGBAIP4uqKphayhwU6boyfo9SlJ9xse +fzqOS5MPIEcm85oZyQ+pvxse0Db0Ogc5S+S8seLtRE0lOHL0SmlANewxxf3IWpyo +4hIQ3NeDwMOyUFPO3UFpH+13ylwfMX/cZawQleZB3ZvEKALsihRk4upkCuZ3GEHS +qeEiG5o8eJANcp2LEKsqkGWffs1KN+or/jFMwPhRMnNZEcF4cs1S4JmUjy80yFC4 +01K9VqWtFrywPzClU3lATPk9xcD6+RIlG4K4D4sWLw6bSuoIYUimXLnJ27XFIrhb +6TnyVnCW2EMmUYVQuEP5z0erRmPBXbEs4CMh3gQH6jYa/VZxBpSHYOkMGnwIFr7E +g2SuGr00szI3ltvqAPI0YP6dIla+0X1J/TukWWqhUAcHrHhqwXwWyGOVdANv4fkI +2NrWQNOaAO1gPDMOJnNbBgyeyDubps5+BSnY2yEhyfq1IS9eiScMHY54JodcYJSp +R6C7tUhjpr0qhf2C2fHEVA6BpuOJRKQim378Zg== +-----END CERTIFICATE----- diff --git a/etc/unbound/unbound_server.pem b/etc/unbound/unbound_server.pem new file mode 100644 index 0000000..e1b8ecf --- /dev/null +++ b/etc/unbound/unbound_server.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDoDCCAggCCQCg9zp9pzE1BDANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAd1 +bmJvdW5kMB4XDTE5MTAwNjA4MjIwNVoXDTM5MDYyMzA4MjIwNVowEjEQMA4GA1UE +AwwHdW5ib3VuZDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALxPDHlA ++pITslIewNJ9qa8FjeArKCW1odfaQmFvjV6S7EessWCLmYtArW7f6+rHiO9uHsie +iSd126dYmfgdUNYDenedXK4stXBVshEfgXBsAncnrqhMHYKswkMHwTy6nukK2CHf +TrFSZSdJnIN9fxaa8oQr9oWmjAbk/8Q+b6cJeJ5zoZb9E6VrHVy/4Y0PFmwvwDAb +ky3azAfOgUqQNADEgBDMoiY/usMkTqdByToeL+nfiox+iRezIgEcfedGDSqsvEqH +5S3Vhc//tstW9pvKL2B0oBQYmxgANbDvRS+z2bU9LtGnX+CCFN75xQM4seTQ+a9G +UJzQI24hLoOBrP3TvA4NgcEYoit/eJhAwkxhrfi/SvSm1XI3QOPfN5Na5m4f7uod +nKByubAnCzL4kNLs74tCLLV4X+DP4bXwR21uFKYg7bll6uNTqFmtRMm3x+Bxc2on +ui7/Vfl9pZ0V1Qj+adQfA+jjG34zC47ep+1Czc2EFWU/C1541WwW60iSzQIDAQAB +MA0GCSqGSIb3DQEBCwUAA4IBgQAF496S2lCDLdO0CNiVNAZ5mjyRCD2VIPGJyAPh +AXZA33QSYPnzCrYrH8PHUXzufsa5rp8esS9Ko3S8JAqb+Ui5Oaj3opXPcaYYcOoq +DrM5K4tgFfpla3P/ebCnoscLYyZAHzKAtChf4kOkJ3z2kN8/V/U9FEiLGylrfTRK +a9fdsNZdZ6FEJY9ZJViUZRTcUQpLWr89PfjLv2WaRUP5rwiuwtiKTPP5LIoPI/3J +Y/42vMA7Oed4NYdsbgfBkzMyrWUcXTM3V/ioluZaUKbCB9nxrvlPbZdoJS7bQxCT +GpStN4t53ToHp63vK8KpC0y00ElcjIVTRv7/cKyU1QJpQCPX2jqRNswQdxD6NiXe +WUpUf8akVTfX88Ta0Z/kyMkqXpSTgD3B9yyvT6Cii7a1kMJJQl9LF3CexgpV+xSL +ICQV3HLtodtjhL+d0Qc9yXPuNMp52YtFRZs4K7DpgfZvdrQoRvzIOHOhsCGPjNGu +9T7YD+1VUzSWmxNZJbaCKSmaCMU= +-----END CERTIFICATE-----