From 23f2b1688f0f6db2986c7576dc7be1860a9557f6 Mon Sep 17 00:00:00 2001 From: ChiefGyk Date: Tue, 28 Jun 2016 12:31:21 -0400 Subject: [PATCH] reset --- conf/blocklist/sync-fail2ban | 85 -- conf/fail2ban/jail.local | 66 +- conf/fail2ban/miab-management-daemon.conf | 12 - conf/fail2ban/miab-munin.conf | 7 - conf/fail2ban/miab-owncloud.conf | 7 - conf/fail2ban/miab-postfix-submission.conf | 7 - conf/fail2ban/miab-roundcube.conf | 9 - conf/fail2ban/nginx-badbots.conf | 21 - conf/fail2ban/nginx.conf | 17 - conf/fail2ban/owncloud.conf | 8 - conf/rkhunter/rkhunter.conf | 1008 -------------------- setup/system.sh | 36 - 12 files changed, 3 insertions(+), 1280 deletions(-) delete mode 100644 conf/blocklist/sync-fail2ban delete mode 100644 conf/fail2ban/miab-management-daemon.conf delete mode 100644 conf/fail2ban/miab-munin.conf delete mode 100644 conf/fail2ban/miab-owncloud.conf delete mode 100644 conf/fail2ban/miab-postfix-submission.conf delete mode 100644 conf/fail2ban/miab-roundcube.conf delete mode 100644 conf/fail2ban/nginx-badbots.conf delete mode 100644 conf/fail2ban/nginx.conf delete mode 100644 conf/fail2ban/owncloud.conf delete mode 100644 conf/rkhunter/rkhunter.conf diff --git a/conf/blocklist/sync-fail2ban b/conf/blocklist/sync-fail2ban deleted file mode 100644 index 3ee9c23a..00000000 --- a/conf/blocklist/sync-fail2ban +++ /dev/null @@ -1,85 +0,0 @@ -#!/bin/bash - -## Update fail2ban iptables with globally known attackers. -## Actually, runs 100% independently now, without needing fail2ban installed. -## -## /etc/cron.daily/sync-fail2ban -## -## Author: Marcos Kobylecki -## http://www.reddit.com/r/linux/comments/2nvzur/shared_blacklists_from_fail2ban/ - - -## Quit if fail2ban is missing. Maybe this fake requirement can be skipped? YES. -#PROGRAM=/etc/init.d/fail2ban -#[ -x $PROGRAM ] || exit 0 - -datadir=/etc/fail2ban -[[ -d "$datadir" ]] || datadir=/tmp - -## Get default settings of fail2ban (optional?) -[ -r /etc/default/fail2ban ] && . /etc/default/fail2ban - -umask 000 -blacklistf=$datadir/blacklist.blocklist.de.txt - -mv -vf $blacklistf $blacklistf.last - -badlisturls="http://antivirus.neu.edu.cn/ssh/lists/base_30days.txt http://lists.blocklist.de/lists/ssh.txt http://lists.blocklist.de/lists/bruteforcelogin.txt" - - - iptables -vN fail2ban-ssh # Create the chain if it doesn't exist. Harmless if it does. - -# Grab list(s) at https://www.blocklist.de/en/export.html . Block. -echo "Adding new blocks:" - time curl -s http://lists.blocklist.de/lists/ssh.txt http://lists.blocklist.de/lists/bruteforcelogin.txt \ - |sort -u \ - |tee $blacklistf \ - |grep -v '^#\|:' \ - |while read IP; do iptables -I fail2ban-ssh 1 -s $IP -j DROP; done - - - -# Which listings had been removed since last time? Unblock. -echo "Removing old blocks:" -if [[ -r $blacklistf.diff ]]; then - # comm is brittle, cannot use sort -rn - time comm -23 $blacklistf.last $blacklistf \ - |tee $blacklistf.delisted \ - |grep -v '^#\|:' \ - |while read IP; do iptables -w -D fail2ban-ssh -s $IP -j DROP || iptables -wv -D fail2ban-ssh -s $IP -j LOGDROP; done - -fi - - -# prepare for next time. - diff -wbay $blacklistf.last $blacklistf > $blacklistf.diff - - - - - -# Saves a copy of current iptables rules, should you like to check them later. -(set -x; iptables -wnv -L --line-numbers; iptables -wnv -t nat -L --line-numbers) &> /tmp/iptables.fail2ban.log & - - -exit - -# iptables v1.4.21: host/network `2a00:1210:fffe:145::1' not found -# So weed out IPv6, try |grep -v ':' - -## http://ix.io/fpC - - -# Option: actionban -# Notes.: command executed when banning an IP. Take care that the -# command is executed with Fail2Ban user rights. -# Tags: See jail.conf(5) man page -# Values: CMD -# -actionban = iptables -I fail2ban- 1 -s -j # Option: actionunban -# Notes.: command executed when unbanning an IP. Take care that the -# command is executed with Fail2Ban user rights. -# Tags: See jail.conf(5) man page -# Values: CMD -# -actionunban = iptables -D fail2ban- -s -j \ No newline at end of file diff --git a/conf/fail2ban/jail.local b/conf/fail2ban/jail.local index c6c8b00f..dc338803 100644 --- a/conf/fail2ban/jail.local +++ b/conf/fail2ban/jail.local @@ -6,39 +6,21 @@ # ours too. The string is substituted during installation. ignoreip = 127.0.0.1/8 PUBLIC_IP -action = %(action_mwl)s - # JAILS -# Uncomment actions out with proper addresses once blocklist.de is configured, I like to send it to two email addresses, in addition to blocklist.de [ssh] maxretry = 7 bantime = 3600 - + [ssh-ddos] enabled = true [sasl] enabled = true - -[nginx] - -enabled = true -filter = nginx-http-auth -port = http,https - -[nginx-badbots] - -enabled = true -port = http,https -filter = nginx-badbots -logpath = /var/log/nginx/access.log -maxretry = 2 - [dovecot] -enabled = true -filter = dovecotimap +enabled = true +filter = dovecotimap findtime = 30 maxretry = 20 logpath = /var/log/mail.log @@ -47,7 +29,6 @@ logpath = /var/log/mail.log enabled = true maxretry = 10 action = iptables-allports[name=recidive] - # In the recidive section of jail.conf the action contains: # # action = iptables-allports[name=recidive] @@ -58,44 +39,3 @@ action = iptables-allports[name=recidive] # By default we don't configure this address and no action is required from the admin anyway. # So the notification is ommited. This will prevent message appearing in the mail.log that mail # can't be delivered to fail2ban@$HOSTNAME. - -# Copied from ChiefGyk's OwnCloud -[owncloud] -enabled = true -filter = owncloud -logpath = STORAGE_ROOT/owncloud/owncloud.log -maxretry = 20 -findtime = 300 - -[miab-management] -enabled = true -filter = miab-management-daemon -port = http,https -logpath = /var/log/syslog -maxretry = 20 -findtime = 30 - -[miab-munin] -enabled = true -port = http,https -filter = miab-munin -logpath = /var/log/nginx/access.log -maxretry = 20 -findtime = 30 - -[miab-postfix587] -enabled = true -port = 587 -filter = miab-postfix-submission -logpath = /var/log/mail.log -maxretry = 20 -findtime = 30 - -[miab-roundcube] -enabled = true -port = http,https -filter = miab-roundcube -logpath = /var/log/roundcubemail/errors -maxretry = 20 -findtime = 30 - diff --git a/conf/fail2ban/miab-management-daemon.conf b/conf/fail2ban/miab-management-daemon.conf deleted file mode 100644 index 0b0489c2..00000000 --- a/conf/fail2ban/miab-management-daemon.conf +++ /dev/null @@ -1,12 +0,0 @@ -# Fail2Ban filter Mail-in-a-Box management daemon - -[INCLUDES] - -before = common.conf - -[Definition] - -_daemon = mailinabox - -failregex = Mail-in-a-Box Management Daemon: Failed login attempt from ip - timestamp .* -ignoreregex = diff --git a/conf/fail2ban/miab-munin.conf b/conf/fail2ban/miab-munin.conf deleted file mode 100644 index b254cc62..00000000 --- a/conf/fail2ban/miab-munin.conf +++ /dev/null @@ -1,7 +0,0 @@ -[INCLUDES] - -before = common.conf - -[Definition] -failregex= - .*GET /admin/munin/.* HTTP/1.1\" 401.* -ignoreregex = diff --git a/conf/fail2ban/miab-owncloud.conf b/conf/fail2ban/miab-owncloud.conf deleted file mode 100644 index a9a13f2c..00000000 --- a/conf/fail2ban/miab-owncloud.conf +++ /dev/null @@ -1,7 +0,0 @@ -[INCLUDES] - -before = common.conf - -[Definition] -failregex=Login failed: .*Remote IP: '[\)'] -ignoreregex = diff --git a/conf/fail2ban/miab-postfix-submission.conf b/conf/fail2ban/miab-postfix-submission.conf deleted file mode 100644 index 236e1331..00000000 --- a/conf/fail2ban/miab-postfix-submission.conf +++ /dev/null @@ -1,7 +0,0 @@ -[INCLUDES] - -before = common.conf - -[Definition] -failregex=postfix/submission/smtpd.*warning.*\[\]: .* authentication (failed|aborted) -ignoreregex = diff --git a/conf/fail2ban/miab-roundcube.conf b/conf/fail2ban/miab-roundcube.conf deleted file mode 100644 index c6979c85..00000000 --- a/conf/fail2ban/miab-roundcube.conf +++ /dev/null @@ -1,9 +0,0 @@ -[INCLUDES] - -before = common.conf - -[Definition] - -failregex = IMAP Error: Login failed for .*? from \. AUTHENTICATE.* - -ignoreregex = diff --git a/conf/fail2ban/nginx-badbots.conf b/conf/fail2ban/nginx-badbots.conf deleted file mode 100644 index b2ac9626..00000000 --- a/conf/fail2ban/nginx-badbots.conf +++ /dev/null @@ -1,21 +0,0 @@ -# Fail2Ban configuration file -# -# Regexp to catch known spambots and software alike. Please verify -# that it is your intent to block IPs which were driven by -# above mentioned bots. - - -[Definition] - -badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider -badbots = Atomic_Email_Hunter/4\.0|atSpider/1\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\.6|ContactBot/0\.2|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 +http\://letscrawl\.com/|Lincoln State Web Browser|LMQueueBot/0\.2|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|MVAClient|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/3\.0 \(compatible; scan4mail \(advanced version\) http\://www\.peterspages\.net/?scan4mail\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|NameOfAgent \(CMS Spider\)|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|ShablastBot 1\.0|snap\.com beta crawler v0|Snapbot/1\.0|Snapbot/1\.0 \(Snap Shots, +http\://www\.snap\.com\)|sogou develop spider|Sogou Orion spider/3\.0\(+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sogou spider|Sogou web spider/3\.0\(+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|VadixBot|WebVulnCrawl\.unknown/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00 - -failregex = ^ -.*"(GET|POST).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$ - -ignoreregex = - -# DEV Notes: -# List of bad bots fetched from http://www.user-agents.org -# Generated on Thu Nov 7 14:23:35 PST 2013 by files/gen_badbots. -# -# Author: Yaroslav Halchenko diff --git a/conf/fail2ban/nginx.conf b/conf/fail2ban/nginx.conf deleted file mode 100644 index 74dfe184..00000000 --- a/conf/fail2ban/nginx.conf +++ /dev/null @@ -1,17 +0,0 @@ -# fail2ban filter configuration for nginx - - -[Definition] - - -failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: , server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$ - ^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication, client: , server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$ - -ignoreregex = - -# DEV NOTES: -# Based on samples in https://github.com/fail2ban/fail2ban/pull/43/files -# Extensive search of all nginx auth failures not done yet. -# -# Author: Daniel Black -# Second entry done by Alon Ganon \ No newline at end of file diff --git a/conf/fail2ban/owncloud.conf b/conf/fail2ban/owncloud.conf deleted file mode 100644 index c62763d0..00000000 --- a/conf/fail2ban/owncloud.conf +++ /dev/null @@ -1,8 +0,0 @@ -[INCLUDES] -before = common.conf - -[Definition] -_daemon = owncloud - -failregex = {"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: ''\)","level":2,"time":".*","method":".*} -ignoreregex = diff --git a/conf/rkhunter/rkhunter.conf b/conf/rkhunter/rkhunter.conf deleted file mode 100644 index 698f2be7..00000000 --- a/conf/rkhunter/rkhunter.conf +++ /dev/null @@ -1,1008 +0,0 @@ -# -# This is the main configuration file for Rootkit Hunter. -# -# You can either modify this file directly, or you can create a local -# configuration file. The local file must be named 'rkhunter.conf.local', -# and must reside in the same directory as this file. Please modify one -# or both files to your own requirements. It is suggested that the -# command 'rkhunter -C' is run after any changes have been made. -# -# Please review the documentation before posting bug reports or questions. -# To report bugs, obtain updates, or provide patches or comments, please go to: -# http://rkhunter.sourceforge.net -# -# To ask questions about rkhunter, please use the rkhunter-users mailing list. -# Note this is a moderated list: please subscribe before posting. -# -# Lines beginning with a hash (#), and blank lines, are ignored. -# End-of-line comments are not supported. -# -# Most of the following options need only be specified once. If -# they appear more than once, then the last one seen will be used. -# Some options are allowed to appear more than once, and the text -# describing the option will say if this is so. -# -# Some of the options are space-separated lists of pathnames. If -# wildcard characters (globbing) are allowed in the list, then the -# text describing the option will say so. -# -# Space-separated lists may be enclosed by quotes, but these must only -# appear at the start and end of the list, not in the middle. -# -# For example: XXX="abc def gh" (correct) -# XXX="abc" "def" "gh" (incorrect) -# - - -# -# If this option is set to 1, it specifies that the mirrors file -# ('mirrors.dat'), which is used when the '--update' and '--versioncheck' -# options are used, is to be rotated. Rotating the entries in the file -# allows a basic form of load-balancing between the mirror sites whenever -# the above options are used. -# If the option is set to 0, then the mirrors will be treated as if in -# a priority list. That is, the first mirror listed will always be used -# first. The second mirror will only be used if the first mirror fails, -# the third mirror will only be used if the second mirror fails, and so on. -# -# If the mirrors file is read-only, then the '--versioncheck' command-line -# option can only be used if this option is set to 0. -# -ROTATE_MIRRORS=1 - -# -# If this option is set to 1, it specifies that when the '--update' -# option is used, then the mirrors file is to be checked for updates -# as well. If the current mirrors file contains any local mirrors, -# these will be prepended to the updated file. -# If this option is set to 0, the mirrors file can only be updated -# manually. This may be useful if only using local mirrors. -# -UPDATE_MIRRORS=1 - -# -# The MIRRORS_MODE option tells rkhunter which mirrors are to be -# used when the '--update' or '--versioncheck' command-line options -# are given. Possible values are: -# 0 - use any mirror (the default) -# 1 - only use local mirrors -# 2 - only use remote mirrors -# -# Local and remote mirrors can be defined in the mirrors file -# by using the 'local=' and 'remote=' keywords respectively. -# -MIRRORS_MODE=0 - -# -# Email a message to this address if a warning is found when the -# system is being checked. Multiple addresses may be specified -# simply be separating them with a space. Setting this option to -# null disables the option. -# -# NOTE: This option should be present in the configuration file. -# -#MAIL-ON-WARNING=me@mydomain root@mydomain - -# -# Specify the mail command to use if MAIL-ON-WARNING is set. -# -# NOTE: Double quotes are not required around the command, but -# are required around the subject line if it contains spaces. -# -MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}" - -# -# Specify the temporary directory to use. -# -# NOTE: Do not use /tmp as your temporary directory. Some -# important files will be written to this directory, so be -# sure that the directory permissions are tight. -# -TMPDIR=/var/lib/rkhunter/tmp - -# -# Specify the database directory to use. -# -DBDIR=/var/lib/rkhunter/db - -# -# Specify the script directory to use. -# -SCRIPTDIR=/usr/share/rkhunter/scripts - -# -# This option can be used to modify the command directory list used -# by rkhunter to locate commands (that is, its PATH). By default -# this will be the root PATH, and an internal list of some common -# command directories. -# -# Any directories specified here will, by default, be appended to the -# default list. However, if a directory name begins with the '+' -# character, then that directory will be prepended to the list (that -# is, it will be put at the start of the list). -# -# This is a space-separated list of directory names. The option may -# be specified more than once. -# -#BINDIR="/bin /usr/bin /sbin /usr/sbin" -#BINDIR="+/usr/local/bin +/usr/local/sbin" - -# -# Specify the default language to use. This should be similar -# to the ISO 639 language code. -# -# NOTE: Please ensure that the language you specify is supported. -# For a list of supported languages use the following command: -# -# rkhunter --lang en --list languages -# -#LANGUAGE=en - -# -# This option is a space-separated list of the languages that are to -# be updated when the '--update' option is used. If unset, then all -# the languages will be updated. If none of the languages are to be -# updated, then set this option to just 'en'. -# -# The default is for all the languages to be updated. The default -# language, specified above, and the English (en) language file will -# always be updated regardless of this option. -# -UPDATE_LANG="" - -# -# Specify the log file pathname. -# -# NOTE: This option should be present in the configuration file. -# -LOGFILE=/var/log/rkhunter.log - -# -# Set the following option to 1 if the log file is to be appended to -# whenever rkhunter is run. -# -APPEND_LOG=0 - -# -# Set the following option to 1 if the log file is to be copied when -# rkhunter finishes and an error or warning has occurred. The copied -# log file name will be appended with the current date and time -# (in YYYY-MM-DD_HH:MM:SS format). -# For example: rkhunter.log.2009-04-21_00:57:51 -# -COPY_LOG_ON_ERROR=0 - -# -# Set the following option to enable the rkhunter check start and finish -# times to be logged by syslog. Warning messages will also be logged. -# The value of the option must be a standard syslog facility and -# priority, separated by a dot. For example: -# -# USE_SYSLOG=authpriv.warning -# -# Setting the value to 'none', or just leaving the option commented out, -# disables the use of syslog. -# -#USE_SYSLOG=authpriv.notice - -# -# Set the following option to 1 if the second colour set is to be used. -# This can be useful if your screen uses black characters on a white -# background (for example, a PC instead of a server). -# -COLOR_SET2=0 - -# -# Set the following option to 0 if rkhunter should not detect if X is -# being used. If X is detected as being used, then the second colour -# set will automatically be used. -# -AUTO_X_DETECT=1 - -# -# Set the following option to 1 if it is wanted that any 'Whitelisted' -# results are shown in white rather than green. For colour set 2 users, -# setting this option will cause the result to be shown in black. -# -WHITELISTED_IS_WHITE=0 - -# -# The following option is checked against the SSH configuration file -# 'PermitRootLogin' option. A warning will be displayed if they do not -# match. However, if a value has not been set in the SSH configuration -# file, then a value here of 'unset' can be used to avoid warning messages. -# This option has a default value of 'no'. -# -ALLOW_SSH_ROOT_USER=no - -# -# Set this option to '1' to allow the use of the SSH-1 protocol, but note -# that theoretically it is weaker, and therefore less secure, than the -# SSH-2 protocol. Do not modify this option unless you have good reasons -# to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4 -# authentication). If the 'Protocol' option has not been set in the SSH -# configuration file, then a value of '2' may be set here in order to -# suppress a warning message. This option has a default value of '0'. -# -ALLOW_SSH_PROT_V1=0 - -# -# This setting tells rkhunter the directory containing the SSH configuration -# file. This setting will be worked out by rkhunter, and so should not -# usually need to be set. -# -#SSH_CONFIG_DIR=/etc/ssh - -# -# These two options determine which tests are to be performed. -# The ENABLE_TESTS option can use the word 'all' to refer to all the -# available tests. The DISABLE_TESTS option can use the word 'none' to -# mean that no tests are disabled. The list of disabled tests is applied to -# the list of enabled tests. Both options are space-separated lists of test -# names. The currently available test names can be seen by using the command -# 'rkhunter --list tests'. -# -# The program defaults are to enable all tests and disable none. However, if -# either of the options below are specified, then they will override the -# program defaults. -# -# The supplied configuration file has some tests already disabled, and these -# are tests that will be used only occasionally, can be considered -# "advanced" or that are prone to produce more than the average number of -# false-positives. -# -# Please read the README file for more details about enabling and disabling -# tests, the test names, and how rkhunter behaves when these options are used. -# -# hidden_procs test requires the unhide command which is part of the unhide -# package in Debian. -# -# apps test is disabled by default as it triggers warnings about outdated -# applications (and warns about possible security risk: we better trust -# the Debian Security Team). -# -ENABLE_TESTS="all" -DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps" - -# -# The HASH_FUNC option can be used to specify the command to use -# for the file hash value check. It can be specified as just the -# command name or the full pathname. If just the command name is -# given, and it is one of MD5, SHA1, SHA224, SHA256, SHA384 or -# SHA512, then rkhunter will first look for the relevant command, -# such as 'sha256sum', and then for 'sha256'. If neither of these -# are found, it will then look to see if a perl module has been -# installed which will support the relevant hash function. To see -# which perl modules have been installed use the command -# 'rkhunter --list perl'. -# -# The default is SHA1, or MD5 if SHA1 cannot be found. -# -# Systems using prelinking are restricted to using either the -# SHA1 or MD5 function. -# -# A value of 'NONE' (in uppercase) can be specified to indicate that -# no hash function should be used. Rootkit Hunter will detect this and -# automatically disable the file hash checks. -# -# Examples: -# For Solaris 9 : HASH_FUNC=gmd5sum -# For Solaris 10: HASH_FUNC=sha1sum -# For AIX (>5.2): HASH_FUNC="csum -hMD5" -# For NetBSD : HASH_FUNC="cksum -a sha512" -# -# NOTE: If the hash function is changed then you MUST run rkhunter with -# the '--propupd' option to rebuild the file properties database. -# -#HASH_FUNC=sha1sum - -# -# The HASH_FLD_IDX option specifies which field from the HASH_FUNC -# command output contains the hash value. The fields are assumed to -# be space-separated. The default value is 1, but for *BSD users -# rkhunter will, by default, use a value of 4 if the HASH_FUNC option -# has not been set. The option value must be an integer greater -# than zero. -# -#HASH_FLD_IDX=4 - -# -# The PKGMGR option tells rkhunter to use the specified package manager -# to obtain the file property information. This is used when updating -# the file properties file ('rkhunter.dat'), and when running the file -# properties check. For RedHat/RPM-based systems, 'RPM' can be used to -# get information from the RPM database. For Debian-based systems 'DPKG' -# can be used, for *BSD systems 'BSD' can be used, and for Solaris -# systems 'SOLARIS' can be used. No value, or a value of 'NONE', -# indicates that no package manager is to be used. The default is 'NONE'. -# -# The current package managers, except 'SOLARIS', store the file hash -# values using an MD5 hash function. The Solaris package manager includes -# a checksum value, but this is not used by default (see USE_SUNSUM below). -# -# The 'DPKG' and 'BSD' package managers only provide MD5 hash values. -# The 'RPM' package manager additionally provides values for the inode, -# file permissions, uid, gid and other values. The 'SOLARIS' also provides -# most of the values, similar to 'RPM', but not the inode number. -# -# For any file not part of a package, rkhunter will revert to using the -# HASH_FUNC hash function instead. -# -# Whenever this option is changed 'rkhunter --propupd' must be run. -# -# NONE is the default for Debian as well, as running --propupd takes -# about 4 times longer when it's set to DPKG -# -PKGMGR=DPKG - -# -# It is possible that a file which is part of a package may be modified -# by the administrator. Typically this occurs for configuration files. -# However, the package manager may list the file as being modified. For -# the RPM package manager this may well depend on how the package was -# built. This option specifies those pathnames which are to be exempt -# from the package manager verification process, and which will be treated -# as non-packaged files. As such, the file properties are still checked. -# -# This option only takes effect if the PKGMGR option has been set, and -# is not 'NONE'. -# -# This is a space-separated list of pathnames. The option may -# be specified more than once. -# -# Whenever this option is changed 'rkhunter --propupd' must be run. -# -#PKGMGR_NO_VRFY="" - -# -# This option can be used to tell rkhunter to ignore any prelink -# dependency errors for the given commands. However, a warning will also -# be issued if the error does not occur for a given command. As such -# this option must only be used on commands which experience a persistent -# problem. -# -# Short-term prelink dependency errors can usually be resolved simply by -# running the 'prelink' command on the given pathname. -# -# NOTE: The command 'rkhunter --propupd' must be run whenever this option -# is changed. -# -# This is a space-separated list of command pathnames. The option can be -# specified more than once. -# -#IGNORE_PRELINK_DEP_ERR="/bin/ps /usr/bin/top" - -# -# If the 'SOLARIS' package manager is used, then it is possible to use -# the checksum (hash) value stored for a file. However, this is only a -# 16-bit checksum, and as such is not nearly as secure as, for example, -# a SHA-2 value. For that reason, the checksum is not used by default, -# and the hash function given by HASH_FUNC is used instead. To enable -# this option, set its value to 1. The Solaris 'sum' command must be -# present on the system if this option is used. -# -#USE_SUNSUM=0 - -# -# This option is a space-separated list of commands, directories and file -# pathnames which will be included in the file properties checks. -# This option can be specified more than once. -# -# Whenever this option is changed, 'rkhunter --propupd' must be run. -# -# Simple command names - for example, 'top' - and directory names are -# added to the internal list of directories to be searched for each of -# the command names in the command list. Additionally, full pathnames -# to files, which need not be commands, may be given. Any files or -# directories which are already part of the internal lists will be -# silently ignored from the configuration. -# -# Normal globbing wildcards are allowed, except for simple command names. -# For example, 'top*' cannot be given, but '/usr/bin/top*' is allowed. -# -# Specific files may be excluded by preceding their name with an -# exclamation mark (!). For example, '!/opt/top'. By combining this -# with wildcarding, whole directories can be excluded. For example, -# '/etc/* /etc/*/* !/etc/rc?.d/*'. This will look for files in the first -# two directory levels of '/etc'. However, anything in '/etc/rc0.d', -# '/etc/rc1.d', '/etc/rc2.d' and so on, will be excluded. -# -# NOTE: Only files and directories which have been added by the user, -# and are not part of the internal lists, can be excluded. So, for -# example, it is not possible to exclude the 'ps' command by using -# '!/bin/ps'. These will be silently ignored from the configuration. -# -#USER_FILEPROP_FILES_DIRS="top /usr/local/sbin !/opt/ps*" -#USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf" -#USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf.local" -#USER_FILEPROP_FILES_DIRS="/var/lib/rkhunter/db/*" -#USER_FILEPROP_FILES_DIRS="!/var/lib/rkhunter/db/mirrors.dat" -#USER_FILEPROP_FILES_DIRS="!/var/lib/rkhunter/db/rkhunter*" -#USER_FILEPROP_FILES_DIRS="/var/lib/rkhunter/db/i18n/*" - -# -# This option whitelists files and directories from existing, -# or not existing, on the system at the time of testing. This -# option is used when the configuration file options themselves -# are checked, and during the file properties check, the hidden -# files and directories checks, and the filesystem check of the -# '/dev' directory. -# -# This is a space-separated list of pathnames. The option may be -# specified more than once. The option may use wildcard characters, -# but be aware that this is probably not what you want to do as the -# wildcarding will be expanded after files have been deleted. As -# such deleted files won't be whitelisted if wildcarded. -# -# NOTE: The user must take into consideration how often the file will -# appear and disappear from the system in relation to how often -# rkhunter is run. If the file appears, and disappears, too often -# then rkhunter may not notice this. All it will see is that the file -# has changed. The inode-number and DTM will certainly be different -# for each new file, and rkhunter will report this. -# -#EXISTWHITELIST="" - -# -# Whitelist various attributes of the specified files. -# The attributes are those of the 'attributes' test. -# Specifying a file name here does not include it being -# whitelisted for the write permission test (see below). -# -# This is a space-separated list of filenames. The option may -# be specified more than once. The option may use wildcard -# characters. -# -#ATTRWHITELIST="/bin/ps /usr/bin/date" - -# -# Allow the specified commands to have the 'others' -# (world) permission have the write-bit set. -# -# For example, files with permissions r-xr-xrwx -# or rwxrwxrwx. -# -# This is a space-separated list of filenames. The option may -# be specified more than once. The option may use wildcard -# characters. -# -#WRITEWHITELIST="/bin/ps /usr/bin/date" - -# -# Allow the specified commands to be scripts. -# -# This is a space-separated list of filenames. The option may -# be specified more than once. The option may use wildcard -# characters. -# -SCRIPTWHITELIST=/bin/egrep -SCRIPTWHITELIST=/bin/fgrep -SCRIPTWHITELIST=/bin/which -SCRIPTWHITELIST=/usr/bin/groups -SCRIPTWHITELIST=/usr/bin/ldd -#SCRIPTWHITELIST=/usr/bin/lwp-request -SCRIPTWHITELIST=/usr/sbin/adduser -#SCRIPTWHITELIST=/usr/sbin/prelink -SCRIPTWHITELIST=/usr/bin/unhide.rb - -# -# Allow the specified commands to have the immutable attribute set. -# -# This is a space-separated list of filenames. The option may -# be specified more than once. The option may use wildcard -# characters. -# -#IMMUTWHITELIST="/sbin/ifup /sbin/ifdown" - -# -# If this option is set to 1, then the immutable-bit test is -# reversed. That is, the files are expected to have the bit set. -# -IMMUTABLE_SET=0 - -# -# Allow the specified hidden directories to be whitelisted. -# -# This is a space-separated list of directory pathnames. -# The option may be specified more than once. The option -# may use wildcard characters. -# -#ALLOWHIDDENDIR="/etc/.java" -#ALLOWHIDDENDIR="/dev/.static" -#ALLOWHIDDENDIR="/dev/.SRC-unix" -#ALLOWHIDDENDIR="/etc/.etckeeper" -ALLOWHIDDENDIR="/dev/.udev" - - -# -# Allow the specified hidden files to be whitelisted. -# -# This is a space-separated list of filenames. The option may -# be specified more than once. The option may use wildcard -# characters. -# -#ALLOWHIDDENFILE="/etc/.java" -#ALLOWHIDDENFILE="/usr/share/man/man1/..1.gz" -#ALLOWHIDDENFILE="/etc/.pwd.lock" -#ALLOWHIDDENFILE="/etc/.init.state" -#ALLOWHIDDENFILE="/lib/.libcrypto.so.0.9.8e.hmac /lib/.libcrypto.so.6.hmac" -#ALLOWHIDDENFILE="/lib/.libssl.so.0.9.8e.hmac /lib/.libssl.so.6.hmac" -#ALLOWHIDDENFILE="/usr/bin/.fipscheck.hmac" -#ALLOWHIDDENFILE="/usr/bin/.ssh.hmac" -#ALLOWHIDDENFILE="/usr/lib/.libfipscheck.so.1.1.0.hmac" -#ALLOWHIDDENFILE="/usr/lib/.libfipscheck.so.1.hmac" -#ALLOWHIDDENFILE="/usr/lib/.libgcrypt.so.11.hmac" -#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha1hmac.hmac" -#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha256hmac.hmac" -#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha384hmac.hmac" -#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha512hmac.hmac" -#ALLOWHIDDENFILE="/usr/sbin/.sshd.hmac" -#ALLOWHIDDENFILE="/usr/share/man/man5/.k5login.5.gz" -#ALLOWHIDDENFILE="/etc/.gitignore" -#ALLOWHIDDENFILE="/etc/.bzrignore" -ALLOWHIDDENFILE="/dev/.blkid.tab" -ALLOWHIDDENFILE="/dev/.blkid.tab.old" -ALLOWHIDDENFILE="/dev/.initramfs" - -# -# Allow the specified processes to use deleted files. The -# process name may be followed by a colon-separated list of -# full pathnames. The process will then only be whitelisted -# if it is using one of the given files. For example: -# -# ALLOWPROCDELFILE="/usr/libexec/gconfd-2:/tmp/abc:/var/tmp/xyz" -# -# This is a space-separated list of process names. The option -# may be specified more than once. The option may use wildcard -# characters, but only in the file names. -# -#ALLOWPROCDELFILE="/sbin/cardmgr /usr/sbin/gpm:/etc/X11/abc" -#ALLOWPROCDELFILE="/usr/lib/libgconf2-4/gconfd-2" -#ALLOWPROCDELFILE="/usr/sbin/mysqld:/tmp/ib*" -#ALLOWPROCDELFILE="/usr/lib/iceweasel/firefox-bin" -#ALLOWPROCDELFILE="/usr/bin/file-roller" - -# -# Allow the specified processes to listen on any network interface. -# -# This is a space-separated list of process names. The option -# may be specified more than once. -# -#ALLOWPROCLISTEN="/sbin/dhclient /usr/bin/dhcpcd" -#ALLOWPROCLISTEN="/usr/sbin/pppoe /usr/sbin/tcpdump" -#ALLOWPROCLISTEN="/usr/sbin/snort-plain" - -# -# Allow the specified network interfaces to be in promiscuous mode. -# -# This is a space-separated list of interface names. The option may -# be specified more than once. -# -#ALLOWPROMISCIF="eth0" - -# -# SCAN_MODE_DEV governs how we scan '/dev' for suspicious files. -# The two allowed options are: THOROUGH or LAZY. -# If commented out we do a THOROUGH scan which will increase the runtime. -# Even though this adds to the running time it is highly recommended to -# leave it like this. -# -#SCAN_MODE_DEV=THOROUGH - -# -# The PHALANX2_DIRTEST option is used to indicate if the Phalanx2 test is to -# perform a basic check, or a more thorough check. If the option is set to 0, -# then a basic check is performed. If it is set to 1, then all the directries -# in the /etc and /usr directories are scanned. The default value is 0. Users -# should note that setting this option to 1 will cause the test to take longer -# to complete. -# -PHALANX2_DIRTEST=0 - -# -# Allow the specified files to be present in the /dev directory, -# and not regarded as suspicious. -# -# This is a space-separated list of pathnames. The option may -# be specified more than once. The option may use wildcard -# characters. -# -#ALLOWDEVFILE="/dev/shm/pulse-shm-*" -#ALLOWDEVFILE="/dev/shm/sem.ADBE_*" -ALLOWDEVFILE="/dev/.udev/rules.d/root.rules" - -# -# This setting tells rkhunter where the inetd configuration -# file is located. -# -#INETD_CONF_PATH=/etc/inetd.conf - -# -# Allow the following enabled inetd services. -# -# This is a space-separated list of service names. The option may -# be specified more than once. -# -# For non-Solaris users the simple service name should be used. -# For example: -# -# INETD_ALLOWED_SVC=echo -# -# For Solaris 9 users the simple service name should also be used, but -# if it is an RPC service, then the executable pathname should be used. -# For example: -# -# INETD_ALLOWED_SVC=imaps -# INETD_ALLOWED_SVC="/usr/sbin/rpc.metad /usr/sbin/rpc.metamhd" -# -# For Solaris 10 users the service/FMRI name should be used. For example: -# -# INETD_ALLOWED_SVC=/network/rpc/meta -# INETD_ALLOWED_SVC=/network/rpc/metamed -# INETD_ALLOWED_SVC=/application/font/stfsloader -# INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord -# -#INETD_ALLOWED_SVC=echo - -# -# This setting tells rkhunter where the xinetd configuration -# file is located. -# -#XINETD_CONF_PATH=/etc/xinetd.conf - -# -# Allow the following enabled xinetd services. Whilst it would be -# nice to use the service names themselves, at the time of testing -# we only have the pathname available. As such, these entries are -# the xinetd file pathnames. -# -# This is a space-separated list of service names. The option may -# be specified more than once. -# -#XINETD_ALLOWED_SVC=/etc/xinetd.d/echo - -# -# This option tells rkhunter the local system startup file pathnames. -# The directories will be searched for files. By default rkhunter -# will use certain filenames and directories. If the option is set -# to 'none', then certain tests will be skipped. -# -# This is a space-separated list of file and directory pathnames. -# The option may be specified more than once. The option may use -# wildcard characters. -# -#STARTUP_PATHS="/etc/init.d /etc/rc.local" - -# -# This setting tells rkhunter the pathname to the file containing the -# user account passwords. This setting will be worked out by rkhunter, -# and so should not usually need to be set. Users of TCB shadow files -# should not set this option. -# -#PASSWORD_FILE=/etc/shadow - -# -# Allow the following accounts to be root equivalent. These accounts -# will have a UID value of zero. The 'root' account does not need to -# be listed as it is automatically whitelisted. -# -# This is a space-separated list of account names. The option may -# be specified more than once. -# -# NOTE: For *BSD systems you will probably need to use this option -# for the 'toor' account. -# -#UID0_ACCOUNTS="toor rooty sashroot" - -# -# Allow the following accounts to have no password. NIS/YP entries do -# not need to be listed as they are automatically whitelisted. -# -# This is a space-separated list of account names. The option may -# be specified more than once. -# -#PWDLESS_ACCOUNTS="abc" - -# -# This setting tells rkhunter the pathname to the syslog configuration -# file. This setting will be worked out by rkhunter, and so should not -# usually need to be set. A value of 'NONE' can be used to indicate -# that there is no configuration file, but that the syslog daemon process -# may be running. -# -# This is a space-separated list of pathnames. The option may -# be specified more than once. -# -#SYSLOG_CONFIG_FILE=/etc/syslog.conf - -# -# This option permits the use of syslog remote logging. -# -ALLOW_SYSLOG_REMOTE_LOGGING=0 - -# -# Allow the following applications, or a specific version of an application, -# to be whitelisted. This option may be specified more than once, and is a -# space-separated list consisting of the application names. If a specific -# version is to be whitelisted, then the name must be followed by a colon -# and then the version number. For example: -# -# APP_WHITELIST="openssl:0.9.7d gpg httpd:1.3.29" -# -# Note above that for the Apache web server, the name 'httpd' is used. -# -#APP_WHITELIST="" - -# -# Scan for suspicious files in directories containing temporary files and -# directories posing a relatively higher risk due to user write access. -# Please do not enable by default as suspscan is CPU and I/O intensive and prone to -# producing false positives. Do review all settings before usage. -# Also be aware that running suspscan in combination with verbose logging on, -# RKH's default, will show all ignored files. -# Please consider adding all directories the user the (web)server runs as has -# write access to including the document root (example: "/var/www") and log -# directories (example: "/var/log/httpd"). -# -# This is a space-separated list of directory pathnames. -# The option may be specified more than once. -# -#SUSPSCAN_DIRS="/tmp /var/tmp" - -# -# Directory for temporary files. A memory-based one is better (faster). -# Do not use a directory name that is listed in SUSPSCAN_DIRS. -# Please make sure you have a tempfs mounted and the directory exists. -# -SUSPSCAN_TEMP=/dev/shm - -# -# Maximum filesize in bytes. Files larger than this will not be inspected. -# Do make sure you have enough space left in your temporary files directory. -# -SUSPSCAN_MAXSIZE=10240000 - -# -# Score threshold. Below this value no hits will be reported. -# A value of "200" seems "good" after testing on malware. Please adjust -# locally if necessary. -# -SUSPSCAN_THRESH=200 - -# -# The following option can be used to whitelist network ports which -# are known to have been used by malware. This option may be specified -# more than once. The option is a space-separated list of one or more -# of four types of whitelisting. These are: -# -# 1) a 'protocol:port' pair (e.g. TCP:25) -# 2) a pathname to an executable (e.g. /usr/sbin/squid) -# 3) a combined pathname, protocol and port -# (e.g. /usr/sbin/squid:TCP:3801) -# 4) an asterisk ('*') -# -# Only the UDP or TCP protocol may be specified, and the port number -# must be between 1 and 65535 inclusive. -# -# The asterisk can be used to indicate that any executable which rkhunter -# can locate as a command, is whitelisted. (See BINDIR in this file.) -# -# For example: -# -# PORT_WHITELIST="/home/user1/abc /opt/xyz TCP:2001 UDP:32011" -# -# NOTE: In order to whitelist a pathname, or use the asterisk option, -# the 'lsof' command must be present. -# -#PORT_WHITELIST="" - -# -# The following option can be used to tell rkhunter where the operating -# system 'release' file is located. This file contains information -# specifying the current O/S version. RKH will store this information -# itself, and check to see if it has changed between each run. If it has -# changed, then the user is warned that RKH may issue warning messages -# until RKH has been run with the '--propupd' option. -# -# Since the contents of the file vary according to the O/S distribution, -# RKH will perform different actions when it detects the file itself. As -# such, this option should not be set unless necessary. If this option is -# specified, then RKH will assume the O/S release information is on the -# first non-blank line of the file. -# -#OS_VERSION_FILE="/etc/debian_version" - -# -# The following two options can be used to whitelist files and directories -# that would normally be flagged with a warning during the various rootkit -# and malware checks. If the file or directory name contains a space, then -# the percent character ('%') must be used instead. Only existing files and -# directories can be specified, and these must be full pathnames not links. -# -# Additionally, the RTKT_FILE_WHITELIST option may include a string after the -# file name (separated by a colon). This will then only whitelist that string -# in that file (as part of the malware checks). For example: -# -# RTKT_FILE_WHITELIST="/etc/rc.local:hdparm" -# -# If the option list includes the filename on its own as well, then the file -# will be whitelisted from rootkit checks of the files existence, but still -# only the specific string within the file will be whitelisted. For example: -# -# RTKT_FILE_WHITELIST="/etc/rc.local:hdparm /etc/rc.local" -# -# To whitelist a file from the existence checks, but not from the strings -# checks, then include the filename on its own and on its own but with -# just a colon appended. For example: -# -# RTKT_FILE_WHITELIST="/etc/rc.local /etc/rc.local:" -# -# NOTE: It is recommended that if you whitelist any files, then you include -# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS -# configuration option. -# -# These are space-separated lists of file and directory pathnames. -# The options may be specified more than once. -# -#RTKT_DIR_WHITELIST="" -#RTKT_FILE_WHITELIST="" - -# -# The following option can be used to whitelist shared library files that would -# normally be flagged with a warning during the preloaded shared library check. -# These library pathnames usually exist in the '/etc/ld.so.preload' file or in -# the LD_PRELOAD environment variable. -# -# NOTE: It is recommended that if you whitelist any files, then you include -# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS -# configuration option. -# -# This is a space-separated list of library pathnames. -# The option may be specified more than once. -# -#SHARED_LIB_WHITELIST="/lib/snoopy.so" - -# -# To force rkhunter to use the supplied script for the 'stat' or 'readlink' -# command, then the following two options can be used. The value must be -# set to 'BUILTIN'. -# -# NOTE: IRIX users will probably need to enable STAT_CMD. -# -#STAT_CMD=BUILTIN -#READLINK_CMD=BUILTIN - -# -# In the file properties test any modification date/time is displayed as the -# number of epoch seconds. Rkhunter will try and use the 'date' command, or -# failing that the 'perl' command, to display the date and time in a -# human-readable format as well. This option may be used if some other command -# should be used instead. The given command must understand the '%s' and -# 'seconds ago' options found in the GNU date command. -# -# A value of 'NONE' may be used to request that only the epoch seconds be shown. -# A value of 'PERL' may be used to force rkhunter to use the 'perl' command, if -# it is present. -# -#EPOCH_DATE_CMD="" - -# -# This setting tells rkhunter the directory containing the available -# Linux kernel modules. This setting will be worked out by rkhunter, -# and so should not usually need to be set. -# -#MODULES_DIR="" - -# -# The following option can be set to a command which rkhunter will use when -# downloading files from the Internet - that is, when the '--update' or -# '--versioncheck' option is used. The command can take options. -# -# This allows the user to use a command other than the one automatically -# selected by rkhunter, but still one which it already knows about. -# For example: -# -# WEB_CMD=curl -# -# Alternatively, the user may specify a completely new command. However, note -# that rkhunter expects the downloaded file to be written to stdout, and that -# everything written to stderr is ignored. For example: -# -# WEB_CMD="/opt/bin/dlfile --timeout 5m -q" -# -# *BSD users may want to use the 'ftp' command, provided that it supports -# the HTTP protocol: -# -# WEB_CMD="ftp -o -" -# -#WEB_CMD="" - -# -# Set the following option to 0 if you do not want to receive a warning if -# any O/S information has changed since the last run of 'rkhunter --propupd'. -# The warnings occur during the file properties check. The default is to -# issue a warning if something has changed. -# -#WARN_ON_OS_CHANGE=1 - -# -# Set the following option to 1 if you want rkhunter to automatically run -# a file properties update ('--propupd') if the O/S has changed. Detection -# of an O/S change occurs during the file properties check. The default is -# not to do an automatic update. -# -# WARNING: Only set this option if you are sure that the update will work -# correctly. That is, that the database directory is writeable, that a valid -# hash function is available, and so on. This can usually be checked simply -# by running 'rkhunter --propupd' at least once. -# -#UPDT_ON_OS_CHANGE=0 - -# -# Set the following option to 1 if locking is to be used when rkhunter runs. -# The lock is set just before logging starts, and is removed when the program -# ends. It is used to prevent items such as the log file, and the file -# properties file, from becoming corrupted if rkhunter is running more than -# once. The mechanism used is to simply create a lock file in the TMPDIR -# directory. If the lock file already exists, because rkhunter is already -# running, then the current process simply loops around sleeping for 10 seconds -# and then retrying the lock. -# -# The default is not to use locking. -# -USE_LOCKING=0 - -# -# If locking is used, then rkhunter may have to wait to get the lock file. -# This option sets the total amount of time, in seconds, that rkhunter should -# wait. It will retry the lock every 10 seconds, until either it obtains the -# lock or the timeout value has been reached. If no value is set, then a -# default of 300 seconds (5 minutes) is used. -# -LOCK_TIMEOUT=300 - -# -# If locking is used, then rkhunter may be doing nothing for some time if it -# has to wait for the lock. Some simple messages are echo'd to the users screen -# to let them know that rkhunter is waiting for the lock. Set this option to 0 -# if the messages are not to be displayed. The default is to show them. -# -SHOW_LOCK_MSGS=1 - -# -# If the option SCANROOTKITMODE is set to "THOROUGH" the scanrootkit() function -# will search (on a per rootkit basis) for filenames in all of the directories (as defined -# by the result of running 'find / -xdev'). While still not optimal, as it -# still searches for only file names as opposed to file contents, this is one step away -# from the rigidity of searching in known (evidence) or default (installation) locations. -# -# THIS OPTION SHOULD NOT BE ENABLED BY DEFAULT. -# -# You should only activate this feature as part of a more thorough investigation which -# should be based on relevant best practices and procedures. -# -# Enabling this feature implies you have the knowledge to interpret the results properly. -# -#SCANROOTKITMODE=THOROUGH - -# -# The following option can be set to the name(s) of the tests the 'unhide' command is -# to use. In order to maintain compatibility with older versions of 'unhide', this -# option defaults to 'sys'. Options such as '-m' and '-v' may also be specified, but -# will only take effect when they are seen. The test names are a space-separated list, -# and will be executed in the order given. -# -#UNHIDE_TESTS="sys" - -# -# If both the C 'unhide', and Ruby 'unhide.rb', programs exist on the system, then it -# is possible to disable the execution of one of the programs if desired. By default -# rkhunter will look for both programs, and execute each of them as they are found. -# If the value of this option is 0, then both programs will be executed if they are -# present. A value of 1 will disable execution of the C 'unhide' program, and a value -# of 2 will disable the Ruby 'unhide.rb' program. The default value is 0. To disable -# both programs, then disable the 'hidden_procs' test. -# -DISABLE_UNHIDE=1 - -INSTALLDIR="/usr" diff --git a/setup/system.sh b/setup/system.sh index af7afdf4..cc152524 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -118,26 +118,6 @@ apt_install python3 python3-dev python3-pip \ netcat-openbsd wget curl git sudo coreutils bc \ haveged pollinate \ unattended-upgrades cron ntp fail2ban - -# Add Rootkit hunter -# I have it install and then update to install dependencies and such -# It adds a crontab to check daily at 4:15AM -# Added by Alon "Chief Gyk" Ganon -apt_install rkhunter binutils libreadline5 ruby ruby1.9.1 unhide.rb -wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz -tar xzvf rkhunter* -cd rkhunter* -./installer.sh --layout /usr --install -cd .. -rm -rf rkhunter* -cp conf/rkhunter/rkhunter.conf /etc/rkhunter.conf.local -sed -i '/APT_AUTOGEN="false"/c\APT_AUTOGEN="yes"' /etc/default/rkhunter -rkhunter --update -rkhunter --propupd -(crontab -l 2>/dev/null; echo "15 04 * * * /usr/bin/rkhunter --cronjob --update --quiet -")| crontab - - - # ### Set the system timezone # @@ -312,25 +292,9 @@ restart_service resolvconf # ### Fail2Ban Service # Configure the Fail2Ban installation to prevent dumb bruce-force attacks against dovecot, postfix and ssh -# ChiefGyk commented out a filter to use my own temporarily. May be removed later on line 322 cat conf/fail2ban/jail.local \ | sed "s/PUBLIC_IP/$PUBLIC_IP/g" \ > /etc/fail2ban/jail.local cp conf/fail2ban/dovecotimap.conf /etc/fail2ban/filter.d/dovecotimap.conf -cp conf/fail2ban/nginx.conf /etc/fail2ban/filter.d/nginx.conf -cp conf/fail2ban/miab-management-daemon.conf /etc/fail2ban/filter.d/miab-management-daemon.conf -cp conf/fail2ban/miab-munin.conf /etc/fail2ban/filter.d/miab-munin.conf -#cp conf/fail2ban/miab-owncloud.conf /etc/fail2ban/filter.d/miab-owncloud.conf -cp conf/fail2ban/miab-postfix-submission.conf /etc/fail2ban/filter.d/miab-postfix-submission.conf -cp conf/fail2ban/miab-roundcube.conf /etc/fail2ban/filter.d/miab-roundcube.conf -cp conf/fail2ban/owncloud.conf /etc/fail2ban/filter.d/owncloud.conf restart_service fail2ban - -# Add Blocklist.de malicious IP Addresses to Daily Crontab -# Added by Alon "ChiefGyk" Ganon -cp conf/blocklist/sync-fail2ban /etc/cron.daily/sync-fail2ban -chmod a+x /etc/cron.daily/sync-fail2ban -time /etc/cron.daily/sync-fail2ban - -