diff --git a/etc/debian_version b/etc/debian_version new file mode 100644 index 0000000..cdb4ac4 --- /dev/null +++ b/etc/debian_version @@ -0,0 +1 @@ +13.1 diff --git a/etc/group b/etc/group new file mode 100644 index 0000000..c4493a9 --- /dev/null +++ b/etc/group @@ -0,0 +1,57 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33:caddy +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +systemd-journal:x:999: +systemd-network:x:998: +crontab:x:997: +input:x:996: +sgx:x:995: +clock:x:994: +kvm:x:993: +render:x:992: +netdev:x:101: +_ssh:x:102: +sftp:x:990:eureka,neotech +eureka:x:1000: +neotech:x:1001: +mysql:x:103: +memcache:x:104: +caddy:x:991: +msmtp:x:105: +prometheus:x:106: +messagebus:x:989: diff --git a/etc/host.conf b/etc/host.conf new file mode 100644 index 0000000..d1a59f7 --- /dev/null +++ b/etc/host.conf @@ -0,0 +1 @@ +multi on diff --git a/etc/hostname b/etc/hostname new file mode 100644 index 0000000..b7fd685 --- /dev/null +++ b/etc/hostname @@ -0,0 +1 @@ +debian13 diff --git a/etc/hosts b/etc/hosts new file mode 100644 index 0000000..960f884 --- /dev/null +++ b/etc/hosts @@ -0,0 +1,7 @@ +127.0.0.1 localhost +127.0.1.1 debian13.neotech.fr debian13 + +# The following lines are desirable for IPv6 capable hosts +::1 localhost ip6-localhost ip6-loopback +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters diff --git a/etc/hosts.allow b/etc/hosts.allow new file mode 100644 index 0000000..4c12673 --- /dev/null +++ b/etc/hosts.allow @@ -0,0 +1,10 @@ +# /etc/hosts.allow: list of hosts that are allowed to access the system. +# See the manual pages hosts_access(5) and hosts_options(5). +# +# Example: ALL: LOCAL @some_netgroup +# ALL: .foobar.edu EXCEPT terminalserver.foobar.edu +# +# If you're going to protect the portmapper use the name "rpcbind" for the +# daemon name. See rpcbind(8) and rpc.mountd(8) for further information. +# + diff --git a/etc/hosts.deny b/etc/hosts.deny new file mode 100644 index 0000000..f393e64 --- /dev/null +++ b/etc/hosts.deny @@ -0,0 +1,17 @@ +# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system. +# See the manual pages hosts_access(5) and hosts_options(5). +# +# Example: ALL: some.host.name, .some.domain +# ALL EXCEPT in.fingerd: other.host.name, .other.domain +# +# If you're going to protect the portmapper use the name "rpcbind" for the +# daemon name. See rpcbind(8) and rpc.mountd(8) for further information. +# +# The PARANOID wildcard matches any host whose name does not match its +# address. +# +# You may wish to enable this to ensure any programs that don't +# validate looked up hostnames still leave understandable logs. In past +# versions of Debian this has been the default. +# ALL: PARANOID + diff --git a/etc/reaction.jsonnet b/etc/reaction.jsonnet new file mode 100644 index 0000000..33a7a78 --- /dev/null +++ b/etc/reaction.jsonnet @@ -0,0 +1,59 @@ +local banFor(time) = { + ban: { + cmd: ['iptables', '-w', '-A', 'reaction', '-s', '', '-j', 'DROP'], + }, + unban: { + cmd: ['iptables', '-w', '-D', 'reaction', '-s', '', '-j', 'DROP'], + after: time, + }, +}; + +{ + patterns: { + ip: { + type: 'ipv4', + }, + }, + start: [ + ['iptables', '-N', 'reaction'], + ['iptables', '-I', 'INPUT', '-p', 'all', '-j', 'reaction'], + ['iptables', '-I', 'FORWARD', '-p', 'all', '-j', 'reaction'], + ], + stop: [ + ['iptables', '-D', 'INPUT', '-p', 'all', '-j', 'reaction'], + ['iptables', '-D', 'FORWARD', '-p', 'all', '-j', 'reaction'], + ['iptables', '-F', 'reaction'], + ['iptables', '-X', 'reaction'], + ], + streams: { + ssh: { + cmd: ['journalctl', '-fu', 'ssh.service'], + filters: { + failedlogin: { + regex: [ + @'authentication failure;.*rhost=', + @'Failed password for .* from ', + @'banner exchange: Connection from port [0-9]*: invalid format', + @'Invalid user .* from ', + ], + retry: 3, + retryperiod: '6h', + actions: banFor('96h'), + }, + }, + }, + apache: { + cmd: ['tail', '-q', '-F', '-n0', '/var/log/apache2/wp6_eureka.access.log'], + filters: { + sniffer: { + regex: [ + @'\[.*\] 404 ' + ], + retry: 3, + retryperiod: '10s', + actions: banFor('1h'), + } + } + } + }, +}