TirsvadCMS-Scripts
diff --git a/‎README.md
Lines changed: 2 additions & 0 deletions b/‎README.md
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/conf/iptables/v4
Lines changed: 167 additions & 0 deletions b/‎src/conf/iptables/v4
Lines changed: 167 additions & 0 deletions
diff --git a/‎src/conf/iptables/v6
Lines changed: 160 additions & 0 deletions b/‎src/conf/iptables/v6
Lines changed: 160 additions & 0 deletions
diff --git a/‎src/conf/nginx/nginx.conf
Lines changed: 64 additions & 0 deletions b/‎src/conf/nginx/nginx.conf
Lines changed: 64 additions & 0 deletions
@@ -0,0 +1,2 @@
+# LinuxServerSetup script Default Config
+It's download automatic by script if not applied with own config.
@@ -0,0 +1,167 @@
+###############################################################################
+# The MIT License
+#
+# Copyright 2012-2014 Jakub Jirutka <jakub@jirutka.cz>.
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#
+
+###############################################################################
+#
+#           Basic iptables/IPv4 template for an ordinary servers
+#
+# This file is in iptables-restore format. See the man pages for
+# iptables-restore(8) and iptables-save(8).
+#
+# The following is a set of firewall rules that should be applicable to Linux
+# servers running within departments. It is intended to provide a useful
+# starting point from which to devise a comprehensive firewall policy for
+# a host.
+#
+# Parts 1 and 3 of these rules are the same for each host, whilst part 2 can be
+# populated with rules specific to particular hosts. The optional part 4 is
+# prepared for a NAT rules, e.g. for port forwarding, redirect, masquerade...
+#
+# This template is based on http://jdem.cz/v64a3 from University of Leicester.
+#
+# For the newest version go to https://gist.github.com/jirutka/3742890.
+#
+# @author Jakub Jirutka <jakub@jirutka.cz>
+# @version 1.3.1
+# @date 2014-01-28
+#
+
+###############################################################################
+# 1. COMMON HEADER                                                            #
+#                                                                             #
+# This section is a generic header that should be suitable for most hosts.    #
+###############################################################################
+
+*filter
+
+# Base policy
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+
+# Loopback device.
+-A INPUT -i lo -j ACCEPT
+
+# Continue connections that are already established or related to an established connection.
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+# Drop non-conforming packets, such as malformed headers, etc.
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+
+# Block remote packets claiming to be from a loopback address.
+-A INPUT -s 127.0.0.0/8 ! -i lo -j DROP
+
+# Drop all packets that are going to broadcast, multicast or anycast address.
+-A INPUT -m addrtype --dst-type BROADCAST -j DROP
+-A INPUT -m addrtype --dst-type MULTICAST -j DROP
+-A INPUT -m addrtype --dst-type ANYCAST -j DROP
+-A INPUT -d 224.0.0.0/4 -j DROP
+
+# Chain for preventing SSH brute-force attacks.
+# Permits 10 new connections within 5 minutes from a single host then drops
+# incomming connections from that host. Beyond a burst of 100 connections we
+# log at up 1 attempt per second to prevent filling of logs.
+-N SSHBRUTE
+-A SSHBRUTE -m recent --name SSH --set
+-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[SSH-brute]: "
+-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -j DROP
+-A SSHBRUTE -j ACCEPT
+
+# Chain for preventing ping flooding - up to 6 pings per second from a single
+# source, again with log limiting. Also prevents us from ICMP REPLY flooding
+# some victim when replying to ICMP ECHO from a spoofed source.
+-N ICMPFLOOD
+-A ICMPFLOOD -m recent --set --name ICMP --rsource
+-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "iptables[ICMP-flood]: "
+-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP
+-A ICMPFLOOD -j ACCEPT
+
+###############################################################################
+# 2. HOST SPECIFIC RULES                                                      #
+#                                                                             #
+# This section is a good place to enable your host-specific services.         #
+# ! DO NOT FORGOT TO COPY THESE RULES TO firewall.ip6tables TO ALLOW IPV6 !   #
+###############################################################################
+
+###############################################################################
+# 3. GENERAL RULES                                                            #
+#                                                                             #
+# This section contains general rules that should be suitable for most hosts. #
+###############################################################################
+
+# Accept worldwide access to SSH and use SSHBRUTE chain for preventing
+# brute-force attacks.
+-A INPUT -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j SSHBRUTE
+
+# Permit useful IMCP packet types.
+# Note: RFC 792 states that all hosts MUST respond to ICMP ECHO requests.
+# Blocking these can make diagnosing of even simple faults much more tricky.
+# Real security lies in locking down and hardening all services, not by hiding.
+-A INPUT -p icmp --icmp-type 0  -m conntrack --ctstate NEW -j ACCEPT
+-A INPUT -p icmp --icmp-type 3  -m conntrack --ctstate NEW -j ACCEPT
+-A INPUT -p icmp --icmp-type 8  -m conntrack --ctstate NEW -j ICMPFLOOD
+-A INPUT -p icmp --icmp-type 11 -m conntrack --ctstate NEW -j ACCEPT
+
+# Do not log packets that are going to ports used by SMB
+# (Samba / Windows Sharing).
+-A INPUT -p udp -m multiport --dports 135,445 -j DROP
+-A INPUT -p udp --dport 137:139 -j DROP
+-A INPUT -p udp --sport 137 --dport 1024:65535 -j DROP
+-A INPUT -p tcp -m multiport --dports 135,139,445 -j DROP
+
+# Do not log packets that are going to port used by UPnP protocol.
+-A INPUT -p udp --dport 1900 -j DROP
+
+# Do not log late replies from nameservers.
+-A INPUT -p udp --sport 53 -j DROP
+
+# Good practise is to explicately reject AUTH traffic so that it fails fast.
+-A INPUT -p tcp --dport 113 --syn -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
+
+# Prevent DOS by filling log files.
+-A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[DOS]: "
+
+COMMIT
+
+###############################################################################
+# 4. HOST SPECIFIC NAT RULES                                                  #
+#                                                                             #
+# Uncomment this section if you want to use NAT table, e.g. for port          #
+# forwarding, redirect, masquerade...                                         #
+###############################################################################
+
+#*nat
+
+# Base policy
+#:PREROUTING ACCEPT [0:0]
+#:POSTROUTING ACCEPT [0:0]
+#:OUTPUT ACCEPT [0:0]
+
+# Redirect port 21 to local port 2121
+#-A PREROUTING -i eth0 -p tcp --dport 21 -j REDIRECT --to-port 2121
+
+# Forward port 8080 to port 80 on host 192.168.1.10
+#-A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.10:80
+
+#COMMIT
@@ -0,0 +1,160 @@
+###############################################################################
+# The MIT License
+#
+# Copyright 2012-2014 Jakub Jirutka <jakub@jirutka.cz>.
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#
+
+###############################################################################
+#
+#           Basic ip6tables/IPv6 template for an ordinary servers
+#
+# This file is in iptables-restore format. See the man pages for
+# ip6tables-restore(8) and ip6tables-save(8).
+#
+# The following is a set of firewall rules that should be applicable to Linux
+# servers running within departments. It is intended to provide a useful
+# starting point from which to devise a comprehensive firewall policy for
+# a host.
+#
+# Parts 1 and 3 of these rules are the same for each host, whilst part 2 can be
+# populated with rules specific to particular hosts.
+#
+# This template is based on http://jdem.cz/v64a3 from University of Leicester.
+#
+# For the newest version go to https://gist.github.com/jirutka/3742890.
+#
+# @author Jakub Jirutka <jakub@jirutka.cz>
+# @version 1.3.1
+# @date 2014-01-28
+#
+
+###############################################################################
+# 1. COMMON HEADER                                                            #
+#                                                                             #
+# This section is a generic header that should be suitable for most hosts.    #
+###############################################################################
+
+*filter
+
+# Base policy
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+
+# Don't attempt to firewall internal traffic on the loopback device.
+-A INPUT -i lo -j ACCEPT
+
+# Continue connections that are already established or related to an established
+# connection.
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+# Drop non-conforming packets, such as malformed headers, etc.
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+
+# Block remote packets claiming to be from a loopback address.
+-A INPUT -s ::1/128 ! -i lo -j DROP
+
+# Chain for preventing SSH brute-force attacks.
+# Permits 10 new connections within 5 minutes from a single host then drops
+# incomming connections from that host. Beyond a burst of 100 connections we
+# log at up 1 attempt per second to prevent filling of logs.
+-N SSHBRUTE
+-A SSHBRUTE -m recent --name SSH --set
+-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "ip6tables[SSH-brute]: "
+-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -j DROP
+-A SSHBRUTE -j ACCEPT
+
+# Chain for preventing ping flooding - up to 6 pings per second from a single
+# source, again with log limiting. Also prevents us from ICMP REPLY flooding
+# some victim when replying to ICMP ECHO from a spoofed source.
+-N ICMPFLOOD
+-A ICMPFLOOD -m recent --set --name ICMP --rsource
+-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "ip6tables[ICMP-flood]: "
+-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP
+-A ICMPFLOOD -j ACCEPT
+
+
+###############################################################################
+# 2. HOST SPECIFIC RULES                                                      #
+#                                                                             #
+# This section is a good place to enable your host-specific services.         #
+###############################################################################
+
+# Accept HTTP and HTTPS
+#-A INPUT -p tcp -m multiport --dports 80,443 --syn -m conntrack --ctstate NEW -j ACCEPT
+
+
+###############################################################################
+# 3. GENERAL RULES                                                            #
+#                                                                             #
+# This section contains general rules that should be suitable for most hosts. #
+###############################################################################
+
+# Accept worldwide access to SSH and use SSHBRUTE chain for preventing
+# brute-force attacks.
+-A INPUT -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j SSHBRUTE
+
+# Permit needed ICMP packet types for IPv6 per RFC 4890.
+-A INPUT              -p ipv6-icmp --icmpv6-type 1   -j ACCEPT
+-A INPUT              -p ipv6-icmp --icmpv6-type 2   -j ACCEPT
+-A INPUT              -p ipv6-icmp --icmpv6-type 3   -j ACCEPT
+-A INPUT              -p ipv6-icmp --icmpv6-type 4   -j ACCEPT
+-A INPUT              -p ipv6-icmp --icmpv6-type 133 -j ACCEPT
+-A INPUT              -p ipv6-icmp --icmpv6-type 134 -j ACCEPT
+-A INPUT              -p ipv6-icmp --icmpv6-type 135 -j ACCEPT
+-A INPUT              -p ipv6-icmp --icmpv6-type 136 -j ACCEPT
+-A INPUT              -p ipv6-icmp --icmpv6-type 137 -j ACCEPT
+-A INPUT              -p ipv6-icmp --icmpv6-type 141 -j ACCEPT
+-A INPUT              -p ipv6-icmp --icmpv6-type 142 -j ACCEPT
+-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 130 -j ACCEPT
+-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 131 -j ACCEPT
+-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 132 -j ACCEPT
+-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 143 -j ACCEPT
+-A INPUT              -p ipv6-icmp --icmpv6-type 148 -j ACCEPT
+-A INPUT              -p ipv6-icmp --icmpv6-type 149 -j ACCEPT
+-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 151 -j ACCEPT
+-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 152 -j ACCEPT
+-A INPUT -s fe80::/10 -p ipv6-icmp --icmpv6-type 153 -j ACCEPT
+
+# Permit IMCP echo requests (ping) and use ICMPFLOOD chain for preventing ping
+# flooding.
+-A INPUT -p ipv6-icmp --icmpv6-type 128 -j ICMPFLOOD
+
+# Do not log packets that are going to ports used by SMB
+# (Samba / Windows Sharing).
+-A INPUT -p udp -m multiport --dports 135,445 -j DROP
+-A INPUT -p udp --dport 137:139 -j DROP
+-A INPUT -p udp --sport 137 --dport 1024:65535 -j DROP
+-A INPUT -p tcp -m multiport --dports 135,139,445 -j DROP
+
+# Do not log packets that are going to port used by UPnP protocol.
+-A INPUT -p udp --dport 1900 -j DROP
+
+# Do not log late replies from nameservers.
+-A INPUT -p udp --sport 53 -j DROP
+
+# Good practise is to explicately reject AUTH traffic so that it fails fast.
+-A INPUT -p tcp --dport 113 --syn -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
+
+# Prevent DOS by filling log files.
+-A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "ip6tables[DOS]: "
+
+COMMIT
@@ -0,0 +1,64 @@
+# Ideally # of worker processes = # of CPUs or cores
+# Set to auto to autodetect
+# max_clients = worker_processes * worker_connections
+worker_processes 1;
+
+# Maximum number of open file descriptors per process
+# should be > worker_connections
+worker_rlimit_nofile 10240;
+
+events {
+    # Use epoll on Linux 2.6+
+    use epoll;
+    # Max number of simultaneous connections per worker process
+    worker_connections 1024;
+    # Accept all new connections at one time
+    multi_accept on;
+}
+
+http {
+    # Hide nginx version information
+    server_tokens off;
+
+    # Speed up file transfers by using sendfile() to copy directly
+    # between descriptors rather than using read()/write()
+    sendfile on;
+
+    # Tell Nginx not to send out partial frames; this increases throughput
+    # since TCP frames are filled up before being sent out (adds TCP_CORK)
+    # Send the response header and the beginning of a file in one packet
+    # Send a file in full packets
+    tcp_nopush on;
+
+    # Tell Nginx to enable the Nagle buffering algorithm for TCP packets
+    # which collates several smaller packets together into one larger packet
+    # thus saving bandwidth at the cost of a nearly imperceptible increase to latency
+    tcp_nodelay off;
+
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    ##
+    # SSL Settings
+    ##
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
+    ssl_prefer_server_ciphers on;
+
+    ##
+    # Gzip Settings
+    ##
+    gzip on;
+
+    # gzip_vary on;
+    # gzip_proxied any;
+    # gzip_comp_level 6;
+    # gzip_buffers 16 8k;
+    # gzip_http_version 1.1;
+    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+    ##
+    # Virtual Host Configs
+    ##
+    include /etc/nginx/conf.d/*.conf;
+    include /etc/nginx/sites-enabled/*;
+}
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+# LinuxServerSetup script Default Config`
	`2`	`+It's download automatic by script if not applied with own config.`