.gitignore

 .DS_Store
+/nbproject/private/
\ No newline at end of file

.gitlab/issue_templates/Bug.md

+## short description
+What is happening and what is wrong with that?
+
+## correct behaviour
+What should happen instead?
+
+## environment
+Server OS: (debian/ubuntu/centos/...)  
+Server OS version: (wheezy/trusty/centos6/...)
+ISPConfig version: (3.0.5.4/3.1.5/3.1dev/...)
+_you can use `grep 'ISPC_APP_VERSION' /usr/local/ispconfig/server/lib/config.inc.php` to get it from the command line_
+
+If it might be related to the problem  
+```
+insert the output of `nginx -v` or `apachectl -v` here
+```
+```
+insert the output of `php -v` here
+```
+
+## proposed fix
+optional, of course.  
+if you want to post code snippets, please use  
+```  
+your code  
+```
+or attach a code file. Best is to create a merge request of course.  
+
+## references
+if you know of related bugs or feature requests, please reference them by using `#<bugnumber>`, e. g. #123  
+if you have done a merge request already, please reference it by using `!<mergenumber>`, e. g. !12  
+if you know of a forum post on howtoforge.com that deals with this topic, just add the link to the forum topic here
+
+## screenshots
+optional, of course.  
+Add screenshots of the problem by clicking "Attach a file" on the bottom right.
+
+## log entries
+```
+apache / nginx error.log lines (if related)
+```
\ No newline at end of file

CONTRIBUTING.md

+# Which code branch to use
+
+The master branch is used for code (mostly new features) that shall go into the next major release (e.g. 3.2, 3.3 and so on). The stable branch (e.g. stable-3.1, stable-3.2) is the branch for the current intermediate and bugfix releases. Bugfixes shall be committed to the current stable branch and not the master branch. The stable branch is merged to the master automatically from time to time, please do not submit bugfixes a second time against the master.
+
 # Some guidelines for web development with php.
 -----------------------------------------------------
 * Unix Line Breaks Only, NO windows breaks please.

docs/hardening/README.md

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+This folder contains examples for further ISPC hardening (done by NwSEC)
+
+
+Currently, these are:
+
+
+
+anti-bruteforce         WordPress Login Anti-Bruteforce via fail2ban
+
+postfix-ldap            Query for valid recipients via LDAP in a transparent
+                        setup routing mails e.g. to the internal server
+                        
+                        
+                        
+All these examples have been productively tested and implemented on various
+Debian/GNU Linux based systems.
+
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
\ No newline at end of file

docs/hardening/anti-bruteforce/README.md

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+
+This is an example to block WordPress Login Bruteforce Attacks. Further
+description can also be found @ https://blog.nwsec.de/wordpress/?p=1112
+
+
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
\ No newline at end of file

docs/hardening/anti-bruteforce/jail.local

+#
+# This goes into (or at the end of) /etc/fail2ban/jail.local
+#
+[wp-auth]
+ enabled = true
+ filter = wp-auth
+ action = iptables-multiport[name=wp-auth, port="http,https"]
+ logpath = /var/log/ispconfig/httpd/*/*.log
+ bantime = 1200
+ maxretry = 5

docs/hardening/anti-bruteforce/wp-auth.conf

+#
+# This goes into /etc/fail2ban/filter.d/wp-auth.conf
+#
+[Definition]
+ failregex = ^<HOST> .* "POST /wp-login.php
\ No newline at end of file

docs/hardening/postfix-ldap/README.md

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+If mails get transparently forwarded to another mailserver, a mechanism to block
+mail for invalid recipients makes sense, and drastically increaes the well-known
+backscatter problem.
+
+LDAP queries are used to check for valid recipients, and forwards the mail, if
+an entry for the user is found.
+
+For this to work, on Debian/GNU Linux, you also have to install postfix-ldap by
+
+apt install postfix-ldap
+
+
+Further information can be found @ https://blog.nwsec.de/wordpress/?p=1031
+
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
\ No newline at end of file

docs/hardening/postfix-ldap/add_to_main.cf

+#
+# This goes into /etc/postfix/main.cf in the section relay_recipient_maps
+#
+relay_recipient_maps = hash:/etc/postfix/relay_recipients, ldap:/etc/postfix/ldap-aliases.cf
\ No newline at end of file

docs/hardening/postfix-ldap/ldap-aliases.cf

+server_host = x.x.x.x
+search_base = ou=xxx, dc=xxx, dc=xx
+version = 3
+timeout = 10
+leaf_result_attribute = mail
+bind_dn = user@domain
+bind_pw = userpassword
+query_filter = (mail=%s) 
+result_attribute = mail, addressToForward
\ No newline at end of file

helper_scripts/mydns_to_powerdns_migration.php

@@ -31,11 +31,28 @@ while($row2 = mysql_fetch_array($sql2))
 		{
 			$file2=$row2['data'];
 		}
+
+                //
+                // Fix for 'domain.ext.' apex notation
+                //
+                $record_name_end=substr($row2['name'], -1);
+                if ($record_name_end==".")
+                {
+                       // remove trailing dot from apex
+                       $record_name = substr($row2['name'], 0, strlen($row2['name'])-1);
+                }
+                else
+                {
+                       // add domain to make it a fqdn
+                       $record_name = $row2['name'] . "." . $row3['origin'];
+                }
+
+                print "$row2[name].$row3[origin]" . " $record_name\r\n"; 
 		mysql_select_db("dbispconfig");
 		$sql3 = mysql_query("SELECT substr(origin,1, LENGTH(origin)-1) AS origin FROM dns_soa where id=$row2[zone];");
 		$row3 = mysql_fetch_array($sql3);
 		mysql_select_db("powerdns");
-		mysql_query("INSERT INTO records (domain_id,name,content,ispconfig_id,type,ttl,prio,change_date) values ('$row2[zone]','$row2[name].$row3[origin]','$file2','$row2[id]','$row2[type]','$row2[ttl]','$row2[aux]','1260446221');");
+		mysql_query("INSERT INTO records (domain_id,name,content,ispconfig_id,type,ttl,prio,change_date) values ('$row2[zone]','$record_name','$file2','$row2[id]','$row2[type]','$row2[ttl]','$row2[aux]','1260446221');");
 	}
 	else
 	{

helper_scripts/utils.sh

 #!/bin/bash
+
+#  this is a bash script library to be called by other scripts, 
+#  but not to be run directly
+
 # Copyright (c) 2009, Scott Barr <gsbarr@gmail.com>
 # All rights reserved.
 #

install/apps/xmpp_libs/auth_prosody/authenticate_isp.sh

+#!/bin/bash
+
+IFS=":"
+AUTH_OK=1
+AUTH_FAILED=0
+LOGFILE="/var/log/prosody/auth.log"
+USELOG=true
+
+while read ACTION USER HOST PASS ; do
+
+    [ $USELOG == true ] && { echo "Date: $(date) Action: $ACTION User: $USER Host: $HOST" >> $LOGFILE; }
+
+    case $ACTION in
+        "auth")
+            if [ `/usr/bin/php /usr/local/lib/prosody/auth/db_auth.php $USER $HOST $PASS 2>/dev/null` == 1 ] ; then
+                echo $AUTH_OK
+                [ $USELOG == true ] && { echo "AUTH OK" >> $LOGFILE; }
+            else
+                echo $AUTH_FAILED
+                [ $USELOG == true ] && { echo "AUTH FAILED" >> $LOGFILE; }
+            fi
+        ;;
+        "isuser")
+             if [ `/usr/bin/php /usr/local/lib/prosody/auth/db_isuser.php $USER $HOST 2>/dev/null` == 1 ] ; then
+                echo $AUTH_OK
+                [ $USELOG == true ] && { echo "ISUSER OK" >> $LOGFILE; }
+            else
+                echo $AUTH_FAILED
+                [ $USELOG == true ] && { echo "ISUSER FAILED" >> $LOGFILE; }
+            fi
+        ;;
+        *)
+            echo $AUTH_FAILED
+            [ $USELOG == true ] && { echo "UNKNOWN ACTION GIVEN: $ACTION" >> $LOGFILE; }
+        ;;
+    esac
+
+done

install/apps/xmpp_libs/auth_prosody/prosody-purge

+#!/usr/bin/php
+<?php
+
+define('DEBUG', true);
+usage(count($argv) < 3 || count($argv) > 4);
+
+$operation = $argv[1];
+$host = $argv[2];
+
+$configFile = file_get_contents('/etc/prosody/storage.cfg.lua');
+preg_match_all('/(host|database|port|username|password) *= *"?([^"\n]*)"?;/', $configFile, $matches);
+$config = array();
+foreach($matches[1] AS $ix => $key) {
+	$config[$key] = $matches[2][$ix];
+}
+
+try {
+	// Connect to database
+	$db = new mysqli($config['host'], $config['username'], $config['password'], $config['database']);
+	
+	switch($operation){
+	case 'user':
+		usage(count($argv) != 4);
+		$user = $argv[3];
+		do_query($db->prepare("DELETE FROM prosody WHERE user = ? AND host = ?"), $host, $user);
+		do_query($db->prepare("DELETE FROM prosodyarchive WHERE user = ? AND host = ?"), $host, $user);
+		break;
+	case 'domain':
+		do_query($db->prepare("DELETE FROM prosody WHERE host = ?"), $host);
+		do_query($db->prepare("DELETE FROM prosodyarchive WHERE host = ?"), $host);
+		do_query($db->prepare("DELETE FROM prosody WHERE host LIKE ?"), "%.$host");
+		do_query($db->prepare("DELETE FROM prosodyarchive WHERE host LIKE ?"), "%.$host");
+		break;
+	}
+	$db->close();
+} catch (Exception $ex) {
+	var_dump($ex);
+}
+
+
+function do_query($query, $host, $user = false){
+	if($user !== false)
+		$query->bind_param('ss', $user, $host);
+	else
+		$query->bind_param('s', $host);
+	$query->execute();
+	$entries = $query->affected_rows;
+	$query->close();
+	if(DEBUG) echo "$entries deleted!\n";
+	return $entries;
+}	
+
+function result_false($cond = true) {
+	if(!$cond) return;
+	exit(1);
+}
+
+function usage($cond = false){
+	if(!$cond) return;
+	echo "USAGE: \n prosody-purge domain my.domain.com \n prosody-purge user my.domain.com username \n";
+	result_false();
+}