2022-10-10 11:14:01 +03:00
27 changed files with 1885 additions and 0 deletions
--- a/etc/aliases
+++ b/etc/aliases
@ -0,0 +1,15 @@
 # /etc/aliases
 mailer-daemon: postmaster
 postmaster: root
 nobody: root
 hostmaster: root
 usenet: root
 news: root
 webmaster: root
 www: root
 ftp: root
 abuse: root
 noc: root
 security: root
 root: kalin
 nukemailz: /opt/syslog/arpwatch-mails.log
--- a/etc/arpwatch/README
+++ b/etc/arpwatch/README
@ -0,0 +1,22 @@
 arpwatch does not support a configuration file, but the systemd unit files
 shipped with Debian allow to launch arpwatch with different configurations on
 each interface
 In order to do that, create a file called IFNAME.iface which contains variable
 assignments in sh syntax (comments are allowed). You can use the following
 variables to influence the invocation for that specific interface only:
 * ARGS: overwrite the ARGS from /etc/default/arpwatch
 * PCAP_FILTER: overwrite (or set) the pcap filter
 * IFACE_ARGS: additional options to be passed to arpwatch
 See `man 8 arpwatch` for available arguments. Note that the -f, -i and -u
 options are added by the init system and should not used. If you just want to
 apply the options specified in /etc/default/arpwatch for an interface you do
 not need to create a configuration file.
 For example, if you want to send mails about arpwatch events on eth0 to
 arpwatch+eth0@example.com, you can generate the configuration file using the
 following command:
 echo 'IFACE_ARGS="-m arpwatch+eth0@example.com"' > /etc/arpwatch/eth0.iface
--- a/etc/arpwatch/bond0.20.iface
+++ b/etc/arpwatch/bond0.20.iface
@ -0,0 +1 @@
 IFACE_ARGS="-m nukemailz"
--- a/etc/arpwatch/bond0.21.iface
+++ b/etc/arpwatch/bond0.21.iface
@ -0,0 +1 @@
 IFACE_ARGS="-m nukemailz"
--- a/etc/arpwatch/bond0.22.iface
+++ b/etc/arpwatch/bond0.22.iface
@ -0,0 +1 @@
 IFACE_ARGS="-m nukemailz"
--- a/etc/arpwatch/bond0.23.iface
+++ b/etc/arpwatch/bond0.23.iface
@ -0,0 +1 @@
 IFACE_ARGS="-m nukemailz"
--- a/etc/arpwatch/bond0.25.iface
+++ b/etc/arpwatch/bond0.25.iface
@ -0,0 +1 @@
 IFACE_ARGS="-m nukemailz"
--- a/etc/arpwatch/bond0.29.iface
+++ b/etc/arpwatch/bond0.29.iface
@ -0,0 +1 @@
 IFACE_ARGS="-m nukemailz"
--- a/etc/default/haveged
+++ b/etc/default/haveged
@ -0,0 +1,4 @@
 # Configuration file for haveged
 # Options to pass to haveged:
 #DAEMON_ARGS=""
--- a/etc/fail2ban/fail2ban.conf
+++ b/etc/fail2ban/fail2ban.conf
@ -0,0 +1,86 @@
 # Fail2Ban main configuration file
 #
 # Comments: use '#' for comment lines and ';' (following a space) for inline comments
 #
 # Changes:  in most of the cases you should not modify this
 #           file, but provide customizations in fail2ban.local file, e.g.:
 #
 # [DEFAULT]
 # loglevel = DEBUG
 #
 [DEFAULT]
 # Option: loglevel
 # Notes.: Set the log level output.
 #         CRITICAL
 #         ERROR
 #         WARNING
 #         NOTICE
 #         INFO
 #         DEBUG
 # Values: [ LEVEL ]  Default: INFO
 #
 loglevel = INFO
 # Option: logtarget
 # Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
 #         Only one log target can be specified.
 #         If you change logtarget from the default value and you are
 #         using logrotate -- also adjust or disable rotation in the
 #         corresponding configuration file
 #         (e.g. /etc/logrotate.d/fail2ban on Debian systems)
 # Values: [ STDOUT | STDERR | SYSLOG | SYSOUT | FILE ]  Default: STDERR
 #
 logtarget = /var/log/fail2ban.log
 # Option: syslogsocket
 # Notes: Set the syslog socket file. Only used when logtarget is SYSLOG
 #        auto uses platform.system() to determine predefined paths
 # Values: [ auto | FILE ]  Default: auto
 syslogsocket = auto
 # Option: socket
 # Notes.: Set the socket file. This is used to communicate with the daemon. Do
 #         not remove this file when Fail2ban runs. It will not be possible to
 #         communicate with the server afterwards.
 # Values: [ FILE ]  Default: /var/run/fail2ban/fail2ban.sock
 #
 socket = /var/run/fail2ban/fail2ban.sock
 # Option: pidfile
 # Notes.: Set the PID file. This is used to store the process ID of the
 #         fail2ban server.
 # Values: [ FILE ]  Default: /var/run/fail2ban/fail2ban.pid
 #
 pidfile = /var/run/fail2ban/fail2ban.pid
 # Options: dbfile
 # Notes.: Set the file for the fail2ban persistent data to be stored.
 #         A value of ":memory:" means database is only stored in memory 
 #         and data is lost when fail2ban is stopped.
 #         A value of "None" disables the database.
 # Values: [ None :memory: FILE ] Default: /var/lib/fail2ban/fail2ban.sqlite3
 dbfile = /var/lib/fail2ban/fail2ban.sqlite3
 # Options: dbpurgeage
 # Notes.: Sets age at which bans should be purged from the database
 # Values: [ SECONDS ] Default: 86400 (24hours)
 dbpurgeage = 1d
 # Options: dbmaxmatches
 # Notes.: Number of matches stored in database per ticket (resolvable via 
 #         tags <ipmatches>/<ipjailmatches> in actions)
 # Values: [ INT ] Default: 10
 dbmaxmatches = 10
 [Definition]
 [Thread]
 # Options: stacksize
 # Notes.: Specifies the stack size (in KiB) to be used for subsequently created threads,
 #         and must be 0 or a positive integer value of at least 32.
 # Values: [ SIZE ] Default: 0 (use platform or configured default)
 #stacksize = 0
--- a/etc/fail2ban/jail.conf
+++ b/etc/fail2ban/jail.conf
@ -0,0 +1,964 @@
 #
 # WARNING: heavily refactored in 0.9.0 release.  Please review and
 #          customize settings for your setup.
 #
 # Changes:  in most of the cases you should not modify this
 #           file, but provide customizations in jail.local file,
 #           or separate .conf files under jail.d/ directory, e.g.:
 #
 # HOW TO ACTIVATE JAILS:
 #
 # YOU SHOULD NOT MODIFY THIS FILE.
 #
 # It will probably be overwritten or improved in a distribution update.
 #
 # Provide customizations in a jail.local file or a jail.d/customisation.local.
 # For example to change the default bantime for all jails and to enable the
 # ssh-iptables jail the following (uncommented) would appear in the .local file.
 # See man 5 jail.conf for details.
 #
 # [DEFAULT]
 # bantime = 1h
 #
 # [sshd]
 # enabled = true
 #
 # See jail.conf(5) man page for more information
 # Comments: use '#' for comment lines and ';' (following a space) for inline comments
 [INCLUDES]
 #before = paths-distro.conf
 before = paths-debian.conf
 # The DEFAULT allows a global definition of the options. They can be overridden
 # in each jail afterwards.
 [DEFAULT]
 #
 # MISCELLANEOUS OPTIONS
 #
 # "bantime.increment" allows to use database for searching of previously banned ip's to increase a 
 # default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32...
 #bantime.increment = true
 # "bantime.rndtime" is the max number of seconds using for mixing with random time 
 # to prevent "clever" botnets calculate exact time IP can be unbanned again:
 #bantime.rndtime = 
 # "bantime.maxtime" is the max number of seconds using the ban time can reach (doesn't grow further)
 #bantime.maxtime = 
 # "bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier,
 # default value of factor is 1 and with default value of formula, the ban time 
 # grows by 1, 2, 4, 8, 16 ...
 #bantime.factor = 1
 # "bantime.formula" used by default to calculate next value of ban time, default value below,
 # the same ban time growing will be reached by multipliers 1, 2, 4, 8, 16, 32...
 #bantime.formula = ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactor
 #
 # more aggressive example of formula has the same values only for factor "2.0 / 2.885385" :
 #bantime.formula = ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)
 # "bantime.multipliers" used to calculate next value of ban time instead of formula, coresponding 
 # previously ban count and given "bantime.factor" (for multipliers default is 1);
 # following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban count greater as multipliers count, 
 # always used last multiplier (64 in example), for factor '1' and original ban time 600 - 10.6 hours
 #bantime.multipliers = 1 2 4 8 16 32 64
 # following example can be used for small initial ban time (bantime=60) - it grows more aggressive at begin,
 # for bantime=60 the multipliers are minutes and equal: 1 min, 5 min, 30 min, 1 hour, 5 hour, 12 hour, 1 day, 2 day
 #bantime.multipliers = 1 5 30 60 300 720 1440 2880
 # "bantime.overalljails" (if true) specifies the search of IP in the database will be executed 
 # cross over all jails, if false (dafault), only current jail of the ban IP will be searched
 #bantime.overalljails = false
 # --------------------
 # "ignoreself" specifies whether the local resp. own IP addresses should be ignored
 # (default is true). Fail2ban will not ban a host which matches such addresses.
 #ignoreself = true
 # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
 # will not ban a host which matches an address in this list. Several addresses
 # can be defined using space (and/or comma) separator.
 #ignoreip = 127.0.0.1/8 ::1
 # External command that will take an tagged arguments to ignore, e.g. <ip>,
 # and return true if the IP is to be ignored. False otherwise.
 #
 # ignorecommand = /path/to/command <ip>
 ignorecommand =
 # "bantime" is the number of seconds that a host is banned.
 bantime  = 10m
 # A host is banned if it has generated "maxretry" during the last "findtime"
 # seconds.
 findtime  = 10m
 # "maxretry" is the number of failures before a host get banned.
 maxretry = 5
 # "maxmatches" is the number of matches stored in ticket (resolvable via tag <matches> in actions).
 maxmatches = %(maxretry)s
 # "backend" specifies the backend used to get files modification.
 # Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
 # This option can be overridden in each jail as well.
 #
 # pyinotify: requires pyinotify (a file alteration monitor) to be installed.
 #              If pyinotify is not installed, Fail2ban will use auto.
 # gamin:     requires Gamin (a file alteration monitor) to be installed.
 #              If Gamin is not installed, Fail2ban will use auto.
 # polling:   uses a polling algorithm which does not require external libraries.
 # systemd:   uses systemd python library to access the systemd journal.
 #              Specifying "logpath" is not valid for this backend.
 #              See "journalmatch" in the jails associated filter config
 # auto:      will try to use the following backends, in order:
 #              pyinotify, gamin, polling.
 #
 # Note: if systemd backend is chosen as the default but you enable a jail
 #       for which logs are present only in its own log files, specify some other
 #       backend for that jail (e.g. polling) and provide empty value for
 #       journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
 backend = auto
 # "usedns" specifies if jails should trust hostnames in logs,
 #   warn when DNS lookups are performed, or ignore all hostnames in logs
 #
 # yes:   if a hostname is encountered, a DNS lookup will be performed.
 # warn:  if a hostname is encountered, a DNS lookup will be performed,
 #        but it will be logged as a warning.
 # no:    if a hostname is encountered, will not be used for banning,
 #        but it will be logged as info.
 # raw:   use raw value (no hostname), allow use it for no-host filters/actions (example user)
 usedns = warn
 # "logencoding" specifies the encoding of the log files handled by the jail
 #   This is used to decode the lines from the log file.
 #   Typical examples:  "ascii", "utf-8"
 #
 #   auto:   will use the system locale setting
 logencoding = auto
 # "enabled" enables the jails.
 #  By default all jails are disabled, and it should stay this way.
 #  Enable only relevant to your setup jails in your .local or jail.d/*.conf
 #
 # true:  jail will be enabled and log files will get monitored for changes
 # false: jail is not enabled
 enabled = false
 # "mode" defines the mode of the filter (see corresponding filter implementation for more info).
 mode = normal
 # "filter" defines the filter to use by the jail.
 #  By default jails have names matching their filter name
 #
 filter = %(__name__)s[mode=%(mode)s]
 #
 # ACTIONS
 #
 # Some options used for actions
 # Destination email address used solely for the interpolations in
 # jail.{conf,local,d/*} configuration files.
 destemail = root@localhost
 # Sender email address used solely for some actions
 sender = root@<fq-hostname>
 # E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
 # mailing. Change mta configuration parameter to mail if you want to
 # revert to conventional 'mail'.
 mta = sendmail
 # Default protocol
 protocol = tcp
 # Specify chain where jumps would need to be added in ban-actions expecting parameter chain
 chain = <known/chain>
 # Ports to be banned
 # Usually should be overridden in a particular jail
 port = 0:65535
 # Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3
 fail2ban_agent = Fail2Ban/%(fail2ban_version)s
 #
 # Action shortcuts. To be used to define action parameter
 # Default banning action (e.g. iptables, iptables-new,
 # iptables-multiport, shorewall, etc) It is used to define
 # action_* variables. Can be overridden globally or per
 # section within jail.local file
 banaction = iptables-multiport
 banaction_allports = iptables-allports
 # The simplest action to take: ban only
 action_ = %(banaction)s[port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
 # ban & send an e-mail with whois report to the destemail.
 action_mw = %(action_)s
            %(mta)s-whois[sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
 # ban & send an e-mail with whois report and relevant log lines
 # to the destemail.
 action_mwl = %(action_)s
             %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
 # See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
 #
 # ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
 # to the destemail.
 action_xarf = %(action_)s
             xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"]
 # ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
 # to the destemail.
 action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
                %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
 # Report block via blocklist.de fail2ban reporting service API
 # 
 # See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action.
 # Specify expected parameters in file action.d/blocklist_de.local or if the interpolation
 # `action_blocklist_de` used for the action, set value of `blocklist_de_apikey`
 # in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in 
 # corresponding jail.d/my-jail.local file).
 #
 action_blocklist_de  = blocklist_de[email="%(sender)s", service="%(__name__)s", apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
 # Report ban via badips.com, and use as blacklist
 #
 # See BadIPsAction docstring in config/action.d/badips.py for
 # documentation for this action.
 #
 # NOTE: This action relies on banaction being present on start and therefore
 # should be last action defined for a jail.
 #
 action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
 #
 # Report ban via badips.com (uses action.d/badips.conf for reporting only)
 #
 action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
 # Report ban via abuseipdb.com.
 #
 # See action.d/abuseipdb.conf for usage example and details.
 #
 action_abuseipdb = abuseipdb
 # Choose default action.  To change, just override value of 'action' with the
 # interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
 # globally (section [DEFAULT]) or per specific section
 action = %(action_)s
 #
 # JAILS
 #
 #
 # SSH servers
 #
 [sshd]
 # To use more aggressive sshd modes set filter parameter "mode" in jail.local:
 # normal (default), ddos, extra or aggressive (combines all).
 # See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
 #mode   = normal
 port    = ssh
 logpath = %(sshd_log)s
 backend = %(sshd_backend)s
 [dropbear]
 port     = ssh
 logpath  = %(dropbear_log)s
 backend  = %(dropbear_backend)s
 [selinux-ssh]
 port     = ssh
 logpath  = %(auditd_log)s
 #
 # HTTP servers
 #
 [apache-auth]
 port     = http,https
 logpath  = %(apache_error_log)s
 [apache-badbots]
 # Ban hosts which agent identifies spammer robots crawling the web
 # for email addresses. The mail outputs are buffered.
 port     = http,https
 logpath  = %(apache_access_log)s
 bantime  = 48h
 maxretry = 1
 [apache-noscript]
 port     = http,https
 logpath  = %(apache_error_log)s
 [apache-overflows]
 port     = http,https
 logpath  = %(apache_error_log)s
 maxretry = 2
 [apache-nohome]
 port     = http,https
 logpath  = %(apache_error_log)s
 maxretry = 2
 [apache-botsearch]
 port     = http,https
 logpath  = %(apache_error_log)s
 maxretry = 2
 [apache-fakegooglebot]
 port     = http,https
 logpath  = %(apache_access_log)s
 maxretry = 1
 ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>
 [apache-modsecurity]
 port     = http,https
 logpath  = %(apache_error_log)s
 maxretry = 2
 [apache-shellshock]
 port    = http,https
 logpath = %(apache_error_log)s
 maxretry = 1
 [openhab-auth]
 filter = openhab
 banaction = %(banaction_allports)s
 logpath = /opt/openhab/logs/request.log
 [nginx-http-auth]
 port    = http,https
 logpath = %(nginx_error_log)s
 # To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` 
 # and define `limit_req` and `limit_req_zone` as described in nginx documentation
 # http://nginx.org/en/docs/http/ngx_http_limit_req_module.html
 # or for example see in 'config/filter.d/nginx-limit-req.conf'
 [nginx-limit-req]
 port    = http,https
 logpath = %(nginx_error_log)s
 [nginx-botsearch]
 port     = http,https
 logpath  = %(nginx_error_log)s
 maxretry = 2
 # Ban attackers that try to use PHP's URL-fopen() functionality
 # through GET/POST variables. - Experimental, with more than a year
 # of usage in production environments.
 [php-url-fopen]
 port    = http,https
 logpath = %(nginx_access_log)s
          %(apache_access_log)s
 [suhosin]
 port    = http,https
 logpath = %(suhosin_log)s
 [lighttpd-auth]
 # Same as above for Apache's mod_auth
 # It catches wrong authentifications
 port    = http,https
 logpath = %(lighttpd_error_log)s
 #
 # Webmail and groupware servers
 #
 [roundcube-auth]
 port     = http,https
 logpath  = %(roundcube_errors_log)s
 # Use following line in your jail.local if roundcube logs to journal.
 #backend = %(syslog_backend)s
 [openwebmail]
 port     = http,https
 logpath  = /var/log/openwebmail.log
 [horde]
 port     = http,https
 logpath  = /var/log/horde/horde.log
 [groupoffice]
 port     = http,https
 logpath  = /home/groupoffice/log/info.log
 [sogo-auth]
 # Monitor SOGo groupware server
 # without proxy this would be:
 # port    = 20000
 port     = http,https
 logpath  = /var/log/sogo/sogo.log
 [tine20]
 logpath  = /var/log/tine20/tine20.log
 port     = http,https
 #
 # Web Applications
 #
 #
 [drupal-auth]
 port     = http,https
 logpath  = %(syslog_daemon)s
 backend  = %(syslog_backend)s
 [guacamole]
 port     = http,https
 logpath  = /var/log/tomcat*/catalina.out
 #logpath  = /var/log/guacamole.log
 [monit]
 #Ban clients brute-forcing the monit gui login
 port = 2812
 logpath  = /var/log/monit
           /var/log/monit.log
 [webmin-auth]
 port    = 10000
 logpath = %(syslog_authpriv)s
 backend = %(syslog_backend)s
 [froxlor-auth]
 port    = http,https
 logpath  = %(syslog_authpriv)s
 backend  = %(syslog_backend)s
 #
 # HTTP Proxy servers
 #
 #
 [squid]
 port     =  80,443,3128,8080
 logpath = /var/log/squid/access.log
 [3proxy]
 port    = 3128
 logpath = /var/log/3proxy.log
 #
 # FTP servers
 #
 [proftpd]
 port     = ftp,ftp-data,ftps,ftps-data
 logpath  = %(proftpd_log)s
 backend  = %(proftpd_backend)s
 [pure-ftpd]
 port     = ftp,ftp-data,ftps,ftps-data
 logpath  = %(pureftpd_log)s
 backend  = %(pureftpd_backend)s
 [gssftpd]
 port     = ftp,ftp-data,ftps,ftps-data
 logpath  = %(syslog_daemon)s
 backend  = %(syslog_backend)s
 [wuftpd]
 port     = ftp,ftp-data,ftps,ftps-data
 logpath  = %(wuftpd_log)s
 backend  = %(wuftpd_backend)s
 [vsftpd]
 # or overwrite it in jails.local to be
 # logpath = %(syslog_authpriv)s
 # if you want to rely on PAM failed login attempts
 # vsftpd's failregex should match both of those formats
 port     = ftp,ftp-data,ftps,ftps-data
 logpath  = %(vsftpd_log)s
 #
 # Mail servers
 #
 # ASSP SMTP Proxy Jail
 [assp]
 port     = smtp,465,submission
 logpath  = /root/path/to/assp/logs/maillog.txt
 [courier-smtp]
 port     = smtp,465,submission
 logpath  = %(syslog_mail)s
 backend  = %(syslog_backend)s
 [postfix]
 # To use another modes set filter parameter "mode" in jail.local:
 mode    = more
 port    = smtp,465,submission
 logpath = %(postfix_log)s
 backend = %(postfix_backend)s
 [postfix-rbl]
 filter   = postfix[mode=rbl]
 port     = smtp,465,submission
 logpath  = %(postfix_log)s
 backend  = %(postfix_backend)s
 maxretry = 1
 [sendmail-auth]
 port    = submission,465,smtp
 logpath = %(syslog_mail)s
 backend = %(syslog_backend)s
 [sendmail-reject]
 # To use more aggressive modes set filter parameter "mode" in jail.local:
 # normal (default), extra or aggressive
 # See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details.
 #mode    = normal
 port     = smtp,465,submission
 logpath  = %(syslog_mail)s
 backend  = %(syslog_backend)s
 [qmail-rbl]
 filter  = qmail
 port    = smtp,465,submission
 logpath = /service/qmail/log/main/current
 # dovecot defaults to logging to the mail syslog facility
 # but can be set by syslog_facility in the dovecot configuration.
 [dovecot]
 port    = pop3,pop3s,imap,imaps,submission,465,sieve
 logpath = %(dovecot_log)s
 backend = %(dovecot_backend)s
 [sieve]
 port   = smtp,465,submission
 logpath = %(dovecot_log)s
 backend = %(dovecot_backend)s
 [solid-pop3d]
 port    = pop3,pop3s
 logpath = %(solidpop3d_log)s
 [exim]
 # see filter.d/exim.conf for further modes supported from filter:
 #mode = normal
 port   = smtp,465,submission
 logpath = %(exim_main_log)s
 [exim-spam]
 port   = smtp,465,submission
 logpath = %(exim_main_log)s
 [kerio]
 port    = imap,smtp,imaps,465
 logpath = /opt/kerio/mailserver/store/logs/security.log
 #
 # Mail servers authenticators: might be used for smtp,ftp,imap servers, so
 # all relevant ports get banned
 #
 [courier-auth]
 port     = smtp,465,submission,imap,imaps,pop3,pop3s
 logpath  = %(syslog_mail)s
 backend  = %(syslog_backend)s
 [postfix-sasl]
 filter   = postfix[mode=auth]
 port     = smtp,465,submission,imap,imaps,pop3,pop3s
 # You might consider monitoring /var/log/mail.warn instead if you are
 # running postfix since it would provide the same log lines at the
 # "warn" level but overall at the smaller filesize.
 logpath  = %(postfix_log)s
 backend  = %(postfix_backend)s
 [perdition]
 port   = imap,imaps,pop3,pop3s
 logpath = %(syslog_mail)s
 backend = %(syslog_backend)s
 [squirrelmail]
 port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks
 logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
 [cyrus-imap]
 port   = imap,imaps
 logpath = %(syslog_mail)s
 backend = %(syslog_backend)s
 [uwimap-auth]
 port   = imap,imaps
 logpath = %(syslog_mail)s
 backend = %(syslog_backend)s
 #
 #
 # DNS servers
 #
 # !!! WARNING !!!
 #   Since UDP is connection-less protocol, spoofing of IP and imitation
 #   of illegal actions is way too simple.  Thus enabling of this filter
 #   might provide an easy way for implementing a DoS against a chosen
 #   victim. See
 #    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
 #   Please DO NOT USE this jail unless you know what you are doing.
 #
 # IMPORTANT: see filter.d/named-refused for instructions to enable logging
 # This jail blocks UDP traffic for DNS requests.
 # [named-refused-udp]
 #
 # filter   = named-refused
 # port     = domain,953
 # protocol = udp
 # logpath  = /var/log/named/security.log
 # IMPORTANT: see filter.d/named-refused for instructions to enable logging
 # This jail blocks TCP traffic for DNS requests.
 [named-refused]
 port     = domain,953
 logpath  = /var/log/named/security.log
 [nsd]
 port     = 53
 action_  = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]
           %(default/action_)s[name=%(__name__)s-udp, protocol="udp"]
 logpath = /var/log/nsd.log
 #
 # Miscellaneous
 #
 [asterisk]
 port     = 5060,5061
 action_  = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]
           %(default/action_)s[name=%(__name__)s-udp, protocol="udp"]
 logpath  = /var/log/asterisk/messages
 maxretry = 10
 [freeswitch]
 port     = 5060,5061
 action_  = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]
           %(default/action_)s[name=%(__name__)s-udp, protocol="udp"]
 logpath  = /var/log/freeswitch.log
 maxretry = 10
 # enable adminlog; it will log to a file inside znc's directory by default.
 [znc-adminlog]
 port     = 6667
 logpath  = /var/lib/znc/moddata/adminlog/znc.log
 # To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
 # equivalent section:
 # log-warnings = 2
 #
 # for syslog (daemon facility)
 # [mysqld_safe]
 # syslog
 #
 # for own logfile
 # [mysqld]
 # log-error=/var/log/mysqld.log
 [mysqld-auth]
 port     = 3306
 logpath  = %(mysql_log)s
 backend  = %(mysql_backend)s
 # Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf')
 [mongodb-auth]
 # change port when running with "--shardsvr" or "--configsvr" runtime operation
 port     = 27017
 logpath  = /var/log/mongodb/mongodb.log
 # Jail for more extended banning of persistent abusers
 # !!! WARNINGS !!!
 # 1. Make sure that your loglevel specified in fail2ban.conf/.local
 #    is not at DEBUG level -- which might then cause fail2ban to fall into
 #    an infinite loop constantly feeding itself with non-informative lines
 # 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
 #    to maintain entries for failed logins for sufficient amount of time
 [recidive]
 logpath  = /var/log/fail2ban.log
 banaction = %(banaction_allports)s
 bantime  = 1w
 findtime = 1d
 # Generic filter for PAM. Has to be used with action which bans all
 # ports such as iptables-allports, shorewall
 [pam-generic]
 # pam-generic filter can be customized to monitor specific subset of 'tty's
 banaction = %(banaction_allports)s
 logpath  = %(syslog_authpriv)s
 backend  = %(syslog_backend)s
 [xinetd-fail]
 banaction = iptables-multiport-log
 logpath   = %(syslog_daemon)s
 backend   = %(syslog_backend)s
 maxretry  = 2
 # stunnel - need to set port for this
 [stunnel]
 logpath = /var/log/stunnel4/stunnel.log
 [ejabberd-auth]
 port    = 5222
 logpath = /var/log/ejabberd/ejabberd.log
 [counter-strike]
 logpath = /opt/cstrike/logs/L[0-9]*.log
 tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
 udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
 action_  = %(default/action_)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp"]
           %(default/action_)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp"]
 [softethervpn]
 port     = 500,4500
 protocol = udp
 logpath  = /usr/local/vpnserver/security_log/*/sec.log
 [gitlab]
 port    = http,https
 logpath = /var/log/gitlab/gitlab-rails/application.log
 [grafana]
 port    = http,https
 logpath = /var/log/grafana/grafana.log
 [bitwarden]
 port    = http,https
 logpath = /home/*/bwdata/logs/identity/Identity/log.txt
 [centreon]
 port    = http,https
 logpath = /var/log/centreon/login.log
 # consider low maxretry and a long bantime
 # nobody except your own Nagios server should ever probe nrpe
 [nagios]
 logpath  = %(syslog_daemon)s     ; nrpe.cfg may define a different log_facility
 backend  = %(syslog_backend)s
 maxretry = 1
 [oracleims]
 # see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above
 logpath = /opt/sun/comms/messaging64/log/mail.log_current
 banaction = %(banaction_allports)s
 [directadmin]
 logpath = /var/log/directadmin/login.log
 port = 2222
 [portsentry]
 logpath  = /var/lib/portsentry/portsentry.history
 maxretry = 1
 [pass2allow-ftp]
 # this pass2allow example allows FTP traffic after successful HTTP authentication
 port         = ftp,ftp-data,ftps,ftps-data
 # knocking_url variable must be overridden to some secret value in jail.local
 knocking_url = /knocking/
 filter       = apache-pass[knocking_url="%(knocking_url)s"]
 # access log of the website with HTTP auth
 logpath      = %(apache_access_log)s
 blocktype    = RETURN
 returntype   = DROP
 action       = %(action_)s[blocktype=%(blocktype)s, returntype=%(returntype)s,
                        actionstart_on_demand=false, actionrepair_on_unban=true]
 bantime      = 1h
 maxretry     = 1
 findtime     = 1
 [murmur]
 # AKA mumble-server
 port     = 64738
 action_  = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]
           %(default/action_)s[name=%(__name__)s-udp, protocol="udp"]
 logpath  = /var/log/mumble-server/mumble-server.log
 [screensharingd]
 # For Mac OS Screen Sharing Service (VNC)
 logpath  = /var/log/system.log
 logencoding = utf-8
 [haproxy-http-auth]
 # HAProxy by default doesn't log to file you'll need to set it up to forward
 # logs to a syslog server which would then write them to disk.
 # See "haproxy-http-auth" filter for a brief cautionary note when setting
 # maxretry and findtime.
 logpath  = /var/log/haproxy.log
 [slapd]
 port    = ldap,ldaps
 logpath = /var/log/slapd.log
 [domino-smtp]
 port    = smtp,ssmtp
 logpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log
 [phpmyadmin-syslog]
 port    = http,https
 logpath = %(syslog_authpriv)s
 backend = %(syslog_backend)s
 [zoneminder]
 # Zoneminder HTTP/HTTPS web interface auth
 # Logs auth failures to apache2 error log
 port    = http,https
 logpath = %(apache_error_log)s
 [traefik-auth]
 # to use 'traefik-auth' filter you have to configure your Traefik instance,
 # see `filter.d/traefik-auth.conf` for details and service example.
 port    = http,https
 logpath = /var/log/traefik/access.log
--- a/etc/fail2ban/jail.d/defaults-debian.conf
+++ b/etc/fail2ban/jail.d/defaults-debian.conf
@ -0,0 +1,2 @@
 [sshd]
 enabled = true
--- a/etc/ntp.conf
+++ b/etc/ntp.conf
@ -0,0 +1,42 @@
 #
 # Ansible managed
 #
 # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
 driftfile /var/lib/ntp/ntp.drift
 # Enable this if you want statistics to be logged.
 #statsdir /var/log/ntpstats/
 statistics loopstats peerstats clockstats
 filegen loopstats file loopstats type day enable
 filegen peerstats file peerstats type day enable
 filegen clockstats file clockstats type day enable
 pool bg.pool.ntp.org minpoll 4 maxpoll 10 iburst burst
 server marla.ludost.net minpoll 4 maxpoll 10 iburst burst
 server tryler.ludost.net minpoll 4 maxpoll 10 iburst burst
 # hard backup
 pool 2.bg.pool.ntp.org minpoll 4 maxpoll 10 iburst burst
 # Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
 # details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
 # might also be helpful.
 #
 # Note that "restrict" applies to both servers and clients, so a configuration
 # that might be intended to block requests from certain clients could also end
 # up blocking replies from your own upstream servers.
 # By default, exchange time with everybody, but don't allow configuration.
 restrict -4 default kod notrap nomodify nopeer noquery limited
 restrict -6 default kod notrap nomodify nopeer noquery limited
 # Local users may interrogate the ntp server more closely.
 restrict 127.0.0.1
 restrict ::1
 # Needed for adding pool entries
 restrict source notrap nomodify noquery
--- a/etc/systemd/system/multi-user.target.wants/arpwatch.service
+++ b/etc/systemd/system/multi-user.target.wants/arpwatch.service
@ -0,0 +1 @@
 /lib/systemd/system/arpwatch.service
--- a/etc/systemd/system/multi-user.target.wants/arpwatch@bond0.20.service
+++ b/etc/systemd/system/multi-user.target.wants/arpwatch@bond0.20.service
@ -0,0 +1 @@
 /lib/systemd/system/arpwatch@.service
--- a/etc/systemd/system/multi-user.target.wants/arpwatch@bond0.21.service
+++ b/etc/systemd/system/multi-user.target.wants/arpwatch@bond0.21.service
@ -0,0 +1 @@
 /lib/systemd/system/arpwatch@.service
--- a/etc/systemd/system/multi-user.target.wants/arpwatch@bond0.22.service
+++ b/etc/systemd/system/multi-user.target.wants/arpwatch@bond0.22.service
@ -0,0 +1 @@
 /lib/systemd/system/arpwatch@.service
--- a/etc/systemd/system/multi-user.target.wants/arpwatch@bond0.23.service
+++ b/etc/systemd/system/multi-user.target.wants/arpwatch@bond0.23.service
@ -0,0 +1 @@
 /lib/systemd/system/arpwatch@.service
--- a/etc/systemd/system/multi-user.target.wants/arpwatch@bond0.25.service
+++ b/etc/systemd/system/multi-user.target.wants/arpwatch@bond0.25.service
@ -0,0 +1 @@
 /lib/systemd/system/arpwatch@.service
--- a/etc/systemd/system/multi-user.target.wants/arpwatch@bond0.29.service
+++ b/etc/systemd/system/multi-user.target.wants/arpwatch@bond0.29.service
@ -0,0 +1 @@
 /lib/systemd/system/arpwatch@.service
--- a/etc/unbound/.gitignore
+++ b/etc/unbound/.gitignore
@ -0,0 +1 @@
 *.key
--- a/etc/unbound/unbound.conf
+++ b/etc/unbound/unbound.conf
@ -0,0 +1,591 @@
 #Use this to include other text into the file.
 #include: "otherfile.conf"
 # The server clause sets the main parameters. 
 server:
 	# whitespace is not necessary, but looks cleaner.
 	# verbosity number, 0 is least verbose. 1 is default.
 	verbosity: 1
 	# print statistics to the log (for every thread) every N seconds.
 	# Set to "" or 0 to disable. Default is disabled.
 	# statistics-interval: 0
 	# enable cumulative statistics, without clearing them after printing.
 	# statistics-cumulative: no
 	# enable extended statistics (query types, answer codes, status)
 	# printed from unbound-control. default off, because of speed.
 	# extended-statistics: no
 	# number of threads to create. 1 disables threading.
 	# num-threads: 1
 	# specify the interfaces to answer queries from by ip-address.
 	# The default is to listen to localhost (127.0.0.1 and ::1).
 	# specify 0.0.0.0 and ::0 to bind to all available interfaces.
 	# specify every interface[@port] on a new 'interface:' labelled line.
 	# The listen interfaces are not changed on reload, only on restart.
 	# interface: 192.0.2.153
 	# interface: 192.0.2.154
 	# interface: 192.0.2.154@5003
 	# interface: 2001:DB8::5
 	interface: 0.0.0.0
 	interface: ::0
 	# enable this feature to copy the source address of queries to reply.
 	# Socket options are not supported on all platforms. experimental. 
 	interface-automatic: no
 	# port to answer queries from
 	# port: 53
 	# specify the interfaces to send outgoing queries to authoritative
 	# server from by ip-address. If none, the default (all) interface
 	# is used. Specify every interface on a 'outgoing-interface:' line.
 	# outgoing-interface: 192.0.2.153
 	# outgoing-interface: 2001:DB8::5
 	# outgoing-interface: 2001:DB8::6
 	# number of ports to allocate per thread, determines the size of the
 	# port range that can be open simultaneously.  About double the
 	# num-queries-per-thread, or, use as many as the OS will allow you.
 	# outgoing-range: 4096
 	# permit unbound to use this port number or port range for
 	# making outgoing queries, using an outgoing interface.
 	# outgoing-port-permit: 32768
 	# deny unbound the use this of port number or port range for
 	# making outgoing queries, using an outgoing interface.
 	# Use this to make sure unbound does not grab a UDP port that some
 	# other server on this computer needs. The default is to avoid
 	# IANA-assigned port numbers.
 	# If multiple outgoing-port-permit and outgoing-port-avoid options
 	# are present, they are processed in order.
 	# outgoing-port-avoid: "3200-3208"
 	# number of outgoing simultaneous tcp buffers to hold per thread.
 	# outgoing-num-tcp: 10
 	# number of incoming simultaneous tcp buffers to hold per thread.
 	# incoming-num-tcp: 10
 	# buffer size for UDP port 53 incoming (SO_RCVBUF socket option).
 	# 0 is system default.  Use 4m to catch query spikes for busy servers.
 	# so-rcvbuf: 0
 	# buffer size for UDP port 53 outgoing (SO_SNDBUF socket option).
 	# 0 is system default.  Use 4m to handle spikes on very busy servers.
 	# so-sndbuf: 0
 	# on Linux(3.9+) use SO_REUSEPORT to distribute queries over threads.
 	# so-reuseport: no
 	# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
 	# is set with msg-buffer-size). 1480 can solve fragmentation (timeouts).
 	# edns-buffer-size: 4096
 	# Maximum UDP response size (not applied to TCP response).
 	# Suggested values are 512 to 4096. Default is 4096. 65536 disables it.
 	# max-udp-size: 4096
 	# buffer size for handling DNS data. No messages larger than this
 	# size can be sent or received, by UDP or TCP. In bytes.
 	# msg-buffer-size: 65552
 	# the amount of memory to use for the message cache.
 	# plain value in bytes or you can append k, m or G. default is "4Mb". 
 	# msg-cache-size: 4m
 	# the number of slabs to use for the message cache.
 	# the number of slabs must be a power of 2.
 	# more slabs reduce lock contention, but fragment memory usage.
 	# msg-cache-slabs: 4
 	# the number of queries that a thread gets to service.
 	# num-queries-per-thread: 1024
 	# if very busy, 50% queries run to completion, 50% get timeout in msec
 	# jostle-timeout: 200
 	# msec to wait before close of port on timeout UDP. 0 disables.
 	# delay-close: 0
 	# the amount of memory to use for the RRset cache.
 	# plain value in bytes or you can append k, m or G. default is "4Mb". 
 	# rrset-cache-size: 4m
 	# the number of slabs to use for the RRset cache.
 	# the number of slabs must be a power of 2.
 	# more slabs reduce lock contention, but fragment memory usage.
 	# rrset-cache-slabs: 4
 	# the time to live (TTL) value lower bound, in seconds. Default 0.
 	# If more than an hour could easily give trouble due to stale data.
 	# cache-min-ttl: 0
 	# the time to live (TTL) value cap for RRsets and messages in the
 	# cache. Items are not cached for longer. In seconds.
 	# cache-max-ttl: 86400
 	# the time to live (TTL) value for cached roundtrip times, lameness and
 	# EDNS version information for hosts. In seconds.
 	# infra-host-ttl: 900
 	# the number of slabs to use for the Infrastructure cache.
 	# the number of slabs must be a power of 2.
 	# more slabs reduce lock contention, but fragment memory usage.
 	# infra-cache-slabs: 4
 	# the maximum number of hosts that are cached (roundtrip, EDNS, lame).
 	# infra-cache-numhosts: 10000
 	# Enable IPv4, "yes" or "no".
 	# do-ip4: yes
 	# Enable IPv6, "yes" or "no".
 	# do-ip6: yes
 	# Enable UDP, "yes" or "no".
 	# do-udp: yes
 	# Enable TCP, "yes" or "no".
 	# do-tcp: yes
 	# upstream connections use TCP only (and no UDP), "yes" or "no"
 	# useful for tunneling scenarios, default no.
 	# tcp-upstream: no
 	# Detach from the terminal, run in background, "yes" or "no".
 	# do-daemonize: yes
 	# control which clients are allowed to make (recursive) queries
 	# to this server. Specify classless netblocks with /size and action.
 	# By default everything is refused, except for localhost.
 	# Choose deny (drop message), refuse (polite error reply),
 	# allow (recursive ok), allow_snoop (recursive and nonrecursive ok)
 	# deny_non_local (drop queries unless can be answered from local-data)
 	# refuse_non_local (like deny_non_local but polite error reply).
 	access-control: 0.0.0.0/0 refuse
 	access-control: 127.0.0.0/8 allow
 	access-control: 10.20.0.0/8 allow
 	access-control: 192.168.0.0/16 allow
 	access-control: ::0/0 refuse
 	access-control: ::1 allow
 	access-control: ::ffff:127.0.0.1 allow
 	access-control: 2001:67c:21bc:30::/60 allow
 	# if given, a chroot(2) is done to the given directory.
 	# i.e. you can chroot to the working directory, for example,
 	# for extra security, but make sure all files are in that directory.
 	#
 	# If chroot is enabled, you should pass the configfile (from the
 	# commandline) as a full path from the original root. After the
 	# chroot has been performed the now defunct portion of the config 
 	# file path is removed to be able to reread the config after a reload. 
 	#
 	# All other file paths (working dir, logfile, roothints, and
 	# key files) can be specified in several ways:
 	# 	o as an absolute path relative to the new root.
 	# 	o as a relative path to the working directory.
 	# 	o as an absolute path relative to the original root.
 	# In the last case the path is adjusted to remove the unused portion.
 	#
 	# The pid file can be absolute and outside of the chroot, it is 
 	# written just prior to performing the chroot and dropping permissions.
 	#
 	# Additionally, unbound may need to access /dev/random (for entropy).
 	# How to do this is specific to your OS.
 	#
 	# If you give "" no chroot is performed. The path must not end in a /.
 	# chroot: "/etc/unbound"
 	# if given, user privileges are dropped (after binding port),
 	# and the given username is assumed. Default is user "unbound".
 	# If you give "" no privileges are dropped.
 	# username: "unbound"
 	# the working directory. The relative files in this config are 
 	# relative to this directory. If you give "" the working directory
 	# is not changed.
 	# directory: "/etc/unbound"
 	# the log file, "" means log to stderr. 
 	# Use of this option sets use-syslog to "no".
 	# logfile: ""
 	# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to 
 	# log to, with identity "unbound". If yes, it overrides the logfile.
 	# use-syslog: yes 
 	# print UTC timestamp in ascii to logfile, default is epoch in seconds.
 	# log-time-ascii: no
 	# print one line with time, IP, name, type, class for every query.
 	# log-queries: no
 	# the pid file. Can be an absolute path outside of chroot/work dir.
 	# pidfile: "/etc/unbound/unbound.pid"
 	# file to read root hints from.
 	# get one from ftp://FTP.INTERNIC.NET/domain/named.cache
 	# root-hints: ""
 	# enable to not answer id.server and hostname.bind queries.
 	# hide-identity: no
 	# enable to not answer version.server and version.bind queries.
 	# hide-version: no
 	# the identity to report. Leave "" or default to return hostname.
 	# identity: ""
 	# the version to report. Leave "" or default to return package version.
 	# version: ""
 	# the target fetch policy.
 	# series of integers describing the policy per dependency depth. 
 	# The number of values in the list determines the maximum dependency 
 	# depth the recursor will pursue before giving up. Each integer means:
 	# 	-1 : fetch all targets opportunistically,
 	# 	0: fetch on demand,
 	#	positive value: fetch that many targets opportunistically.
 	# Enclose the list of numbers between quotes ("").
 	# target-fetch-policy: "3 2 1 0 0"
 	# Harden against very small EDNS buffer sizes. 
 	harden-short-bufsize: yes
 	# Harden against unseemly large queries.
 	harden-large-queries: yes
 	# Harden against out of zone rrsets, to avoid spoofing attempts. 
 	harden-glue: yes
 	# Harden against receiving dnssec-stripped data. If you turn it
 	# off, failing to validate dnskey data for a trustanchor will 
 	# trigger insecure mode for that zone (like without a trustanchor).
 	# Default on, which insists on dnssec data for trust-anchored zones.
 	# harden-dnssec-stripped: yes
 	# Harden against queries that fall under dnssec-signed nxdomain names.
 	# harden-below-nxdomain: no
        # Harden the referral path by performing additional queries for
 	# infrastructure data.  Validates the replies (if possible).
 	# Default off, because the lookups burden the server.  Experimental 
 	# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
 	# harden-referral-path: no
 	# Use 0x20-encoded random bits in the query to foil spoof attempts.
 	# This feature is an experimental implementation of draft dns-0x20.
 	# use-caps-for-id: no
 	# Enforce privacy of these addresses. Strips them away from answers. 
 	# It may cause DNSSEC validation to additionally mark it as bogus. 
 	# Protects against 'DNS Rebinding' (uses browser as network proxy). 
 	# Only 'private-domain' and 'local-data' names are allowed to have 
 	# these private addresses. No default.
 	# private-address: 10.0.0.0/8
 	# private-address: 172.16.0.0/12
 	# private-address: 192.168.0.0/16
 	# private-address: 169.254.0.0/16
 	# private-address: fd00::/8
 	# private-address: fe80::/10
 	# Allow the domain (and its subdomains) to contain private addresses.
 	# local-data statements are allowed to contain private addresses too.
 	# private-domain: "example.com"
 	# If nonzero, unwanted replies are not only reported in statistics,
 	# but also a running total is kept per thread. If it reaches the
 	# threshold, a warning is printed and a defensive action is taken,
 	# the cache is cleared to flush potential poison out of it.
 	# A suggested value is 10000000, the default is 0 (turned off).
 	# unwanted-reply-threshold: 0
 	# Do not query the following addresses. No DNS queries are sent there.
 	# List one address per entry. List classless netblocks with /size,
 	# do-not-query-address: 127.0.0.1/8
 	# do-not-query-address: ::1
 	# if yes, the above default do-not-query-address entries are present.
 	# if no, localhost can be queried (for testing and debugging).
 	# do-not-query-localhost: yes
 	# if yes, perform prefetching of almost expired message cache entries.
 	# prefetch: no
 	# if yes, perform key lookups adjacent to normal lookups.
 	# prefetch-key: no
 	# if yes, Unbound rotates RRSet order in response.
 	# rrset-roundrobin: no
 	# if yes, Unbound doesn't insert authority/additional sections
 	# into response messages when those sections are not required.
 	minimal-responses: yes
 	# module configuration of the server. A string with identifiers
 	# separated by spaces. "iterator" or "validator iterator"
 	# module-config: "validator iterator"
 	# File with trusted keys, kept uptodate using RFC5011 probes,
 	# initial file like trust-anchor-file, then it stores metadata.
 	# Use several entries, one per domain name, to track multiple zones.
 	#
 	# If you want to perform DNSSEC validation, run unbound-anchor before
 	# you start unbound (i.e. in the system boot scripts).  And enable:
 	# Please note usage of unbound-anchor root anchor is at your own risk
 	# and under the terms of our LICENSE (see that file in the source).
 	# auto-trust-anchor-file: "/etc/unbound/root.key"
 	# File with DLV trusted keys. Same format as trust-anchor-file.
 	# There can be only one DLV configured, it is trusted from root down.
 	# Download http://ftp.isc.org/www/dlv/dlv.isc.org.key
 	# dlv-anchor-file: "dlv.isc.org.key"
 	# File with trusted keys for validation. Specify more than one file
 	# with several entries, one file per entry.
 	# Zone file format, with DS and DNSKEY entries.
 	# Note this gets out of date, use auto-trust-anchor-file please.
 	# trust-anchor-file: ""
 	# Trusted key for validation. DS or DNSKEY. specify the RR on a
 	# single line, surrounded by "". TTL is ignored. class is IN default.
 	# Note this gets out of date, use auto-trust-anchor-file please.
 	# (These examples are from August 2007 and may not be valid anymore).
 	# trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ=="
 	# trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A"
 	# File with trusted keys for validation. Specify more than one file
 	# with several entries, one file per entry. Like trust-anchor-file
 	# but has a different file format. Format is BIND-9 style format, 
 	# the trusted-keys { name flag proto algo "key"; }; clauses are read.
 	# you need external update procedures to track changes in keys.
 	# trusted-keys-file: ""
 	# Ignore chain of trust. Domain is treated as insecure.
 	# domain-insecure: "example.com"
 	# Override the date for validation with a specific fixed date.
 	# Do not set this unless you are debugging signature inception
 	# and expiration. "" or "0" turns the feature off. -1 ignores date.
 	# val-override-date: ""
 	# The time to live for bogus data, rrsets and messages. This avoids
 	# some of the revalidation, until the time interval expires. in secs.
 	# val-bogus-ttl: 60
 	# The signature inception and expiration dates are allowed to be off
 	# by 10% of the signature lifetime (expir-incep) from our local clock.
 	# This leeway is capped with a minimum and a maximum.  In seconds.
 	# val-sig-skew-min: 3600
 	# val-sig-skew-max: 86400
 	# Should additional section of secure message also be kept clean of
 	# unsecure data. Useful to shield the users of this validator from
 	# potential bogus data in the additional section. All unsigned data 
 	# in the additional section is removed from secure messages.
 	# val-clean-additional: yes
 	# Turn permissive mode on to permit bogus messages. Thus, messages
 	# for which security checks failed will be returned to clients,
 	# instead of SERVFAIL. It still performs the security checks, which
 	# result in interesting log files and possibly the AD bit in
 	# replies if the message is found secure. The default is off.
 	# val-permissive-mode: no
 	# Ignore the CD flag in incoming queries and refuse them bogus data.
 	# Enable it if the only clients of unbound are legacy servers (w2008)
 	# that set CD but cannot validate themselves.
 	# ignore-cd-flag: no
 	# Have the validator log failed validations for your diagnosis.
 	# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
 	# val-log-level: 0
 	# It is possible to configure NSEC3 maximum iteration counts per
 	# keysize. Keep this table very short, as linear search is done.
 	# A message with an NSEC3 with larger count is marked insecure.
 	# List in ascending order the keysize and count values.
 	# val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
 	# instruct the auto-trust-anchor-file probing to add anchors after ttl.
 	# add-holddown: 2592000 # 30 days
 	# instruct the auto-trust-anchor-file probing to del anchors after ttl.
 	# del-holddown: 2592000 # 30 days
 	# auto-trust-anchor-file probing removes missing anchors after ttl.
 	# If the value 0 is given, missing anchors are not removed.
 	# keep-missing: 31622400 # 366 days
 	# the amount of memory to use for the key cache.
 	# plain value in bytes or you can append k, m or G. default is "4Mb". 
 	# key-cache-size: 4m
 	# the number of slabs to use for the key cache.
 	# the number of slabs must be a power of 2.
 	# more slabs reduce lock contention, but fragment memory usage.
 	# key-cache-slabs: 4
 	# the amount of memory to use for the negative cache (used for DLV).
 	# plain value in bytes or you can append k, m or G. default is "1Mb". 
 	# neg-cache-size: 1m
 	# By default, for a number of zones a small default 'nothing here'
 	# reply is built-in.  Query traffic is thus blocked.  If you
 	# wish to serve such zone you can unblock them by uncommenting one
 	# of the nodefault statements below.
 	# You may also have to use domain-insecure: zone to make DNSSEC work,
 	# unless you have your own trust anchors for this zone.
 	# local-zone: "localhost." nodefault
 	# local-zone: "127.in-addr.arpa." nodefault
 	# local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
 	# local-zone: "10.in-addr.arpa." nodefault
 	# local-zone: "16.172.in-addr.arpa." nodefault
 	# local-zone: "17.172.in-addr.arpa." nodefault
 	# local-zone: "18.172.in-addr.arpa." nodefault
 	# local-zone: "19.172.in-addr.arpa." nodefault
 	# local-zone: "20.172.in-addr.arpa." nodefault
 	# local-zone: "21.172.in-addr.arpa." nodefault
 	# local-zone: "22.172.in-addr.arpa." nodefault
 	# local-zone: "23.172.in-addr.arpa." nodefault
 	# local-zone: "24.172.in-addr.arpa." nodefault
 	# local-zone: "25.172.in-addr.arpa." nodefault
 	# local-zone: "26.172.in-addr.arpa." nodefault
 	# local-zone: "27.172.in-addr.arpa." nodefault
 	# local-zone: "28.172.in-addr.arpa." nodefault
 	# local-zone: "29.172.in-addr.arpa." nodefault
 	# local-zone: "30.172.in-addr.arpa." nodefault
 	# local-zone: "31.172.in-addr.arpa." nodefault
 	# local-zone: "168.192.in-addr.arpa." nodefault
 	# local-zone: "0.in-addr.arpa." nodefault
 	# local-zone: "254.169.in-addr.arpa." nodefault
 	# local-zone: "2.0.192.in-addr.arpa." nodefault
 	# local-zone: "100.51.198.in-addr.arpa." nodefault
 	# local-zone: "113.0.203.in-addr.arpa." nodefault
 	# local-zone: "255.255.255.255.in-addr.arpa." nodefault
 	# local-zone: "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
 	# local-zone: "d.f.ip6.arpa." nodefault
 	# local-zone: "8.e.f.ip6.arpa." nodefault
 	# local-zone: "9.e.f.ip6.arpa." nodefault
 	# local-zone: "a.e.f.ip6.arpa." nodefault
 	# local-zone: "b.e.f.ip6.arpa." nodefault
 	# local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
 	# a number of locally served zones can be configured.
 	# 	local-zone: <zone> <type>
 	# 	local-data: "<resource record string>"
 	# o deny serves local data (if any), else, drops queries. 
 	# o refuse serves local data (if any), else, replies with error.
 	# o static serves local data, else, nxdomain or nodata answer.
 	# o transparent gives local data, but resolves normally for other names
 	# o redirect serves the zone data for any subdomain in the zone.
 	# o nodefault can be used to normally resolve AS112 zones.
 	# o typetransparent resolves normally for other types and other names
 	#
 	# defaults are localhost address, reverse for 127.0.0.1 and ::1
 	# and nxdomain for AS112 zones. If you configure one of these zones
 	# the default content is omitted, or you can omit it with 'nodefault'.
 	# 
 	# If you configure local-data without specifying local-zone, by
 	# default a transparent local-zone is created for the data.
 	#
 	# You can add locally served data with
 	# local-zone: "local." static
 	# local-data: "mycomputer.local. IN A 192.0.2.51"
 	# local-data: 'mytext.local TXT "content of text record"'
 	#
 	# You can override certain queries with
 	# local-data: "adserver.example.com A 127.0.0.1"
 	#
 	# You can redirect a domain to a fixed address with
 	# (this makes example.com, www.example.com, etc, all go to 192.0.2.3)
 	# local-zone: "example.com" redirect
 	# local-data: "example.com A 192.0.2.3"
 	#
 	# Shorthand to make PTR records, "IPv4 name" or "IPv6 name".
 	# You can also add PTR records using local-data directly, but then
 	# you need to do the reverse notation yourself.
 	# local-data-ptr: "192.0.2.3 www.example.com"
 	# service clients over SSL (on the TCP sockets), with plain DNS inside
 	# the SSL stream.  Give the certificate to use and private key.
 	# default is "" (disabled).  requires restart to take effect.
 	# ssl-service-key: "path/to/privatekeyfile.key"
 	# ssl-service-pem: "path/to/publiccertfile.pem"
 	# ssl-port: 443
 	# request upstream over SSL (with plain DNS inside the SSL stream).
 	# Default is no.  Can be turned on and off with unbound-control.
 	# ssl-upstream: no
 # Python config section. To enable:
 # o use --with-pythonmodule to configure before compiling.
 # o list python in the module-config string (above) to enable.
 # o and give a python-script to run.
 python:
 	# Script file to load
 	# python-script: "/etc/unbound/ubmodule-tst.py"
 # Remote control config section. 
 remote-control:
 	# Enable remote control with unbound-control(8) here.
 	# set up the keys and certificates with unbound-control-setup.
 	 control-enable: yes
 	# what interfaces are listened to for remote control.
 	# give 0.0.0.0 and ::0 to listen to all interfaces.
 	# control-interface: 127.0.0.1
 	# control-interface: ::1
 	# port number for remote control operations.
 	 control-port: 8953
 	# unbound server key file.
 	# server-key-file: "/etc/unbound/unbound_server.key"
 	# unbound server certificate file.
 	# server-cert-file: "/etc/unbound/unbound_server.pem"
 	# unbound-control key file.
 	# control-key-file: "/etc/unbound/unbound_control.key"
 	# unbound-control certificate file.
 	# control-cert-file: "/etc/unbound/unbound_control.pem"
 # Stub zones.
 # Create entries like below, to make all queries for 'example.com' and 
 # 'example.org' go to the given list of nameservers. list zero or more 
 # nameservers by hostname or by ipaddress. If you set stub-prime to yes, 
 # the list is treated as priming hints (default is no).
 # With stub-first yes, it attempts without the stub if it fails.
 # stub-zone:
 #	name: "example.com"
 #	stub-addr: 192.0.2.68
 #	stub-prime: no
 #	stub-first: no
 # stub-zone:
 #	name: "example.org"
 #	stub-host: ns.example.com.
 # Forward zones
 # Create entries like below, to make all queries for 'example.com' and
 # 'example.org' go to the given list of servers. These servers have to handle
 # recursion to other nameservers. List zero or more nameservers by hostname
 # or by ipaddress. Use an entry with name "." to forward all queries.
 # If you enable forward-first, it attempts without the forward if it fails.
 # forward-zone:
 # 	name: "example.com"
 # 	forward-addr: 192.0.2.68
 # 	forward-addr: 192.0.2.73@5355  # forward to port 5355.
 # 	forward-first: no
 # forward-zone:
 # 	name: "example.org"
 # 	forward-host: fwd.example.com
 include: "/etc/unbound/unbound.conf.d/*.conf"
--- a/etc/unbound/unbound.conf.d/local-hosts.conf
+++ b/etc/unbound/unbound.conf.d/local-hosts.conf
@ -0,0 +1,84 @@
 server:
 	# servers
 	local-data: "vin 30 in a 10.20.0.1"
 	local-data-ptr: "10.20.0.1 30 vin"
 	# switches
 	local-data: "coresw 30 in a 10.20.0.11"
 	local-data-ptr: "10.20.0.11 30 coresw"
 	local-data: "f0sw 30 in a 10.20.0.15"
 	local-data-ptr: "10.20.0.15 30 f0sw"
 	local-data: "nocsw 30 in a 10.20.0.28"
 	local-data-ptr: "10.20.0.28 30 nocsw"
 	local-data: "receptionsw 30 in a 10.20.0.25"
 	local-data-ptr: "10.20.0.25 30 receptionsw"
 	local-data: "teamsw 30 in a 10.20.0.26"
 	local-data-ptr: "10.20.0.26 30 teamsw"
 	local-data: "vocsw-a 30 in a 10.20.0.21"
 	local-data-ptr: "10.20.0.21 30 vocsw-a"
 	local-data: "vocsw-b 30 in a 10.20.0.22"
 	local-data-ptr: "10.20.0.22 30 vocsw-b"
 	# AP
 	local-data: "ap-cf-f-l 30 in a 10.20.0.50"
 	local-data-ptr: "10.20.0.50 30 ap-cf-f-l"
 	local-data: "ap-cf-f-r 30 in a 10.20.0.51"
 	local-data-ptr: "10.20.0.51 30 ap-cf-f-r"
 	local-data: "ap-cf-a1 30 in a 10.20.0.52"
 	local-data-ptr: "10.20.0.52 30 ap-cf-a1"
 	local-data: "ap-cf-a2 30 in a 10.20.0.53"
 	local-data-ptr: "10.20.0.53 30 ap-cf-a2"
 	local-data: "ap-cf-b1 30 in a 10.20.0.54"
 	local-data-ptr: "10.20.0.54 30 ap-cf-b1"
 	local-data: "ap-cf-srv 30 in a 10.20.0.55"
 	local-data-ptr: "10.20.0.55 30 ap-cf-srv"
 	local-data: "ap-cf-c1 30 in a 10.20.0.56"
 	local-data-ptr: "10.20.0.56 30 ap-cf-c1"
 	local-data: "ap-cf-ch 30 in a 10.20.0.58"
 	local-data-ptr: "10.20.0.58 30 ap-cf-ch"
 	local-data: "ap-cf-qws 30 in a 10.20.0.59"
 	local-data-ptr: "10.20.0.59 30 ap-cf-qws"
 	local-data: "ap-ws-ws1 30 in a 10.20.0.60"
 	local-data-ptr: "10.20.0.60 30 ap-ws-ws1"
 	local-data: "ap-ws-ws2 30 in a 10.20.0.61"
 	local-data-ptr: "10.20.0.61 30 ap-ws-ws2"
 	local-data: "ap-ws-noc 30 in a 10.20.0.62"
 	local-data-ptr: "10.20.0.62 30 ap-ws-noc"
 	local-data: "ap-spare-1 30 in a 10.20.0.63"
 	local-data-ptr: "10.20.0.63 30 ap-spare-1"
 	local-data: "ap-spare-2 30 in a 10.20.0.64"
 	local-data-ptr: "10.20.0.64 30 ap-spare-2"
 	local-data: "ap-spare-3 30 in a 10.20.0.65"
 	local-data-ptr: "10.20.0.65 30 ap-spare-3"
 	local-data: "scaler-A 30 in a 10.23.0.6"
 	local-data-ptr: "10.23.0.6 30 scaler-A"
 	local-data: "tv-1 30 in a 10.24.0.11"
 	local-data-ptr: "10.24.0.11 30 tv-1"
 	local-data: "tv-2 30 in a 10.24.0.12"
 	local-data-ptr: "10.24.0.12 30 tv-2"
 	local-data: "printer-1 30 in a 10.25.0.11"
 	local-data-ptr: "10.25.0.11 30 printer-1"
--- a/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf
+++ b/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf
@ -0,0 +1,4 @@
 server:
    # The following line will configure unbound to perform cryptographic
    # DNSSEC validation using the root trust anchor.
    auto-trust-anchor-file: "/var/lib/unbound/root.key"
--- a/etc/unbound/unbound_control.pem
+++ b/etc/unbound/unbound_control.pem
@ -0,0 +1,22 @@
 -----BEGIN CERTIFICATE-----
 MIIDqDCCAhACCQCEdK4gfnegHjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAd1
 bmJvdW5kMB4XDTE5MTAwNjA4MjIwNVoXDTM5MDYyMzA4MjIwNVowGjEYMBYGA1UE
 AwwPdW5ib3VuZC1jb250cm9sMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKC
 AYEAvcaWmhz+fWYV61/2Z5enMLyDIQbWdOY2OMSv+YfnbNJp6odY49fHgy95vcaX
 E/f6F0S6CPAuHVXvG1FdEi5ITbKq7bvsPpfIr+ecmVQOETfGBheC8hD2PFlJ86xi
 mYRV02b3AdNzWwGy0NcYdV4W2d2l0t8Pd84sMNFQXZExjxRVgus9ZUcX7rkNu0qf
 wQDJvUogmaj5xNQm64MEWrT3SLWEF/Hu8WmI+kIcMgf22DBwK9irYTOrnuRa2Twb
 LJa2rZk2/WyJcglt1QlwNnJDTpp5bPMIALCcIztHbeKBVzXksbmz6O5ef2f9T4Qs
 1kpUDC5bQph3droJVtTbSzonmuRzeFSJ0cWjJeCdaY9HGw/es0eWfdsumQxbKHxK
 I6iKF1maKQX0mx1MlrrPjSRlEIFSALwgpLZHIF1dwnUR4q+d8Z6YvqcfqnZwHDtE
 a78UUW6FdkE+DbwSlKl4P2jt61l2QBU9SIeXQmGPt3FoDwmJgdN+7i/wNuKVRPgp
 q5DLAgMBAAEwDQYJKoZIhvcNAQELBQADggGBAIP4uqKphayhwU6boyfo9SlJ9xse
 fzqOS5MPIEcm85oZyQ+pvxse0Db0Ogc5S+S8seLtRE0lOHL0SmlANewxxf3IWpyo
 4hIQ3NeDwMOyUFPO3UFpH+13ylwfMX/cZawQleZB3ZvEKALsihRk4upkCuZ3GEHS
 qeEiG5o8eJANcp2LEKsqkGWffs1KN+or/jFMwPhRMnNZEcF4cs1S4JmUjy80yFC4
 01K9VqWtFrywPzClU3lATPk9xcD6+RIlG4K4D4sWLw6bSuoIYUimXLnJ27XFIrhb
 6TnyVnCW2EMmUYVQuEP5z0erRmPBXbEs4CMh3gQH6jYa/VZxBpSHYOkMGnwIFr7E
 g2SuGr00szI3ltvqAPI0YP6dIla+0X1J/TukWWqhUAcHrHhqwXwWyGOVdANv4fkI
 2NrWQNOaAO1gPDMOJnNbBgyeyDubps5+BSnY2yEhyfq1IS9eiScMHY54JodcYJSp
 R6C7tUhjpr0qhf2C2fHEVA6BpuOJRKQim378Zg==
 -----END CERTIFICATE-----
--- a/etc/unbound/unbound_server.pem
+++ b/etc/unbound/unbound_server.pem
@ -0,0 +1,22 @@
 -----BEGIN CERTIFICATE-----
 MIIDoDCCAggCCQCg9zp9pzE1BDANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAd1
 bmJvdW5kMB4XDTE5MTAwNjA4MjIwNVoXDTM5MDYyMzA4MjIwNVowEjEQMA4GA1UE
 AwwHdW5ib3VuZDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALxPDHlA
 +pITslIewNJ9qa8FjeArKCW1odfaQmFvjV6S7EessWCLmYtArW7f6+rHiO9uHsie
 iSd126dYmfgdUNYDenedXK4stXBVshEfgXBsAncnrqhMHYKswkMHwTy6nukK2CHf
 TrFSZSdJnIN9fxaa8oQr9oWmjAbk/8Q+b6cJeJ5zoZb9E6VrHVy/4Y0PFmwvwDAb
 ky3azAfOgUqQNADEgBDMoiY/usMkTqdByToeL+nfiox+iRezIgEcfedGDSqsvEqH
 5S3Vhc//tstW9pvKL2B0oBQYmxgANbDvRS+z2bU9LtGnX+CCFN75xQM4seTQ+a9G
 UJzQI24hLoOBrP3TvA4NgcEYoit/eJhAwkxhrfi/SvSm1XI3QOPfN5Na5m4f7uod
 nKByubAnCzL4kNLs74tCLLV4X+DP4bXwR21uFKYg7bll6uNTqFmtRMm3x+Bxc2on
 ui7/Vfl9pZ0V1Qj+adQfA+jjG34zC47ep+1Czc2EFWU/C1541WwW60iSzQIDAQAB
 MA0GCSqGSIb3DQEBCwUAA4IBgQAF496S2lCDLdO0CNiVNAZ5mjyRCD2VIPGJyAPh
 AXZA33QSYPnzCrYrH8PHUXzufsa5rp8esS9Ko3S8JAqb+Ui5Oaj3opXPcaYYcOoq
 DrM5K4tgFfpla3P/ebCnoscLYyZAHzKAtChf4kOkJ3z2kN8/V/U9FEiLGylrfTRK
 a9fdsNZdZ6FEJY9ZJViUZRTcUQpLWr89PfjLv2WaRUP5rwiuwtiKTPP5LIoPI/3J
 Y/42vMA7Oed4NYdsbgfBkzMyrWUcXTM3V/ioluZaUKbCB9nxrvlPbZdoJS7bQxCT
 GpStN4t53ToHp63vK8KpC0y00ElcjIVTRv7/cKyU1QJpQCPX2jqRNswQdxD6NiXe
 WUpUf8akVTfX88Ta0Z/kyMkqXpSTgD3B9yyvT6Cii7a1kMJJQl9LF3CexgpV+xSL
 ICQV3HLtodtjhL+d0Qc9yXPuNMp52YtFRZs4K7DpgfZvdrQoRvzIOHOhsCGPjNGu
 9T7YD+1VUzSWmxNZJbaCKSmaCMU=
 -----END CERTIFICATE-----
--- a/root/.gitconfig
+++ b/root/.gitconfig
@ -0,0 +1,13 @@
 # This is Git's per-user configuration file.
 [user]
 # Please adapt and uncomment the following lines:
 	name = "OpenFest Server User"
 	email = core@openfest.org
 [alias]
 	co = checkout
 	ci = commit
 	hist = log --pretty=format:'%h %ad | %s%d [%an]' --graph --date=short
 	synctags = "!if [ $(git remote show | wc -l) -gt 1 ] ; then for r in $(git remote show) ; do echo \"Fetching $r ...\" ; git fetch $r ; done && git push --tags origin; fi"
  vvci = commit --author='Vladimir Vitkov <vvitkov@gmail.com>'
  rpci = commit --author='robotpanic <kalin.t.iliev@gmail.com>'