Skip to content

I
ISPConfig 3
Source
Select Git revision
...
Target
Select Git revision
 
Commits (680)
Expand all Hide whitespace changes
Inline Side-by-side
Showing with 10484 additions and 3835 deletions
.gitignore
View file @ d204dbb9
.DS_Store
/nbproject/private/
\ No newline at end of file
.gitlab/issue_templates/Bug.md 0 → 100644
View file @ d204dbb9
## short description
What is happening and what is wrong with that?
## correct behaviour
What should happen instead?
## environment
Server OS: (debian/ubuntu/centos/...)
Server OS version: (wheezy/trusty/centos6/...)
ISPConfig version: (3.0.5.4/3.1.5/3.1dev/...)
_you can use `grep 'ISPC_APP_VERSION' /usr/local/ispconfig/server/lib/config.inc.php` to get it from the command line_
If it might be related to the problem
```
insert the output of `nginx -v` or `apachectl -v` here
```
```
insert the output of `php -v` here
```
## proposed fix
optional, of course.
if you want to post code snippets, please use
```
your code
```
or attach a code file. Best is to create a merge request of course.
## references
if you know of related bugs or feature requests, please reference them by using `#<bugnumber>`, e. g. #123
if you have done a merge request already, please reference it by using `!<mergenumber>`, e. g. !12
if you know of a forum post on howtoforge.com that deals with this topic, just add the link to the forum topic here
## screenshots
optional, of course.
Add screenshots of the problem by clicking "Attach a file" on the bottom right.
## log entries
```
apache / nginx error.log lines (if related)
```
\ No newline at end of file
CONTRIBUTING.md
View file @ d204dbb9
# Which code branch to use
The master branch is used for code (mostly new features) that shall go into the next major release (e.g. 3.2, 3.3 and so on). The stable branch (e.g. stable-3.1, stable-3.2) is the branch for the current intermediate and bugfix releases. Bugfixes shall be committed to the current stable branch and not the master branch. The stable branch is merged to the master automatically from time to time, please do not submit bugfixes a second time against the master.
# Some guidelines for web development with php.
-----------------------------------------------------
* Unix Line Breaks Only, NO windows breaks please.
......
docs/hardening/README.md 0 → 100644
View file @ d204dbb9
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
This folder contains examples for further ISPC hardening (done by NwSEC)
Currently, these are:
anti-bruteforce WordPress Login Anti-Bruteforce via fail2ban
postfix-ldap Query for valid recipients via LDAP in a transparent
setup routing mails e.g. to the internal server
All these examples have been productively tested and implemented on various
Debian/GNU Linux based systems.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
\ No newline at end of file
docs/hardening/anti-bruteforce/README.md 0 → 100644
View file @ d204dbb9
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
This is an example to block WordPress Login Bruteforce Attacks. Further
description can also be found @ https://blog.nwsec.de/wordpress/?p=1112
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
\ No newline at end of file
docs/hardening/anti-bruteforce/jail.local 0 → 100644
View file @ d204dbb9
#
# This goes into (or at the end of) /etc/fail2ban/jail.local
#
[wp-auth]
enabled = true
filter = wp-auth
action = iptables-multiport[name=wp-auth, port="http,https"]
logpath = /var/log/ispconfig/httpd/*/*.log
bantime = 1200
maxretry = 5
docs/hardening/anti-bruteforce/wp-auth.conf 0 → 100644
View file @ d204dbb9
#
# This goes into /etc/fail2ban/filter.d/wp-auth.conf
#
[Definition]
failregex = ^<HOST> .* "POST /wp-login.php
\ No newline at end of file
docs/hardening/postfix-ldap/README.md 0 → 100644
View file @ d204dbb9
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
If mails get transparently forwarded to another mailserver, a mechanism to block
mail for invalid recipients makes sense, and drastically increaes the well-known
backscatter problem.
LDAP queries are used to check for valid recipients, and forwards the mail, if
an entry for the user is found.
For this to work, on Debian/GNU Linux, you also have to install postfix-ldap by
apt install postfix-ldap
Further information can be found @ https://blog.nwsec.de/wordpress/?p=1031
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
\ No newline at end of file
docs/hardening/postfix-ldap/add_to_main.cf 0 → 100644
View file @ d204dbb9
#
# This goes into /etc/postfix/main.cf in the section relay_recipient_maps
#
relay_recipient_maps = hash:/etc/postfix/relay_recipients, ldap:/etc/postfix/ldap-aliases.cf
\ No newline at end of file
docs/hardening/postfix-ldap/ldap-aliases.cf 0 → 100644
View file @ d204dbb9
server_host = x.x.x.x
search_base = ou=xxx, dc=xxx, dc=xx
version = 3
timeout = 10
leaf_result_attribute = mail
bind_dn = user@domain
bind_pw = userpassword
query_filter = (mail=%s)
result_attribute = mail, addressToForward
\ No newline at end of file
helper_scripts/mydns_to_powerdns_migration.php
View file @ d204dbb9
......@@ -31,11 +31,28 @@ while($row2 = mysql_fetch_array($sql2))
{
$file2=$row2['data'];
}
//
// Fix for 'domain.ext.' apex notation
//
$record_name_end=substr($row2['name'], -1);
if ($record_name_end==".")
{
// remove trailing dot from apex
$record_name = substr($row2['name'], 0, strlen($row2['name'])-1);
}
else
{
// add domain to make it a fqdn
$record_name = $row2['name'] . "." . $row3['origin'];
}
print "$row2[name].$row3[origin]" . " $record_name\r\n";
mysql_select_db("dbispconfig");
$sql3 = mysql_query("SELECT substr(origin,1, LENGTH(origin)-1) AS origin FROM dns_soa where id=$row2[zone];");
$row3 = mysql_fetch_array($sql3);
mysql_select_db("powerdns");
mysql_query("INSERT INTO records (domain_id,name,content,ispconfig_id,type,ttl,prio,change_date) values ('$row2[zone]','$row2[name].$row3[origin]','$file2','$row2[id]','$row2[type]','$row2[ttl]','$row2[aux]','1260446221');");
mysql_query("INSERT INTO records (domain_id,name,content,ispconfig_id,type,ttl,prio,change_date) values ('$row2[zone]','$record_name','$file2','$row2[id]','$row2[type]','$row2[ttl]','$row2[aux]','1260446221');");
}
else
{
......
helper_scripts/utils.sh
View file @ d204dbb9
#!/bin/bash
# this is a bash script library to be called by other scripts,
# but not to be run directly
# Copyright (c) 2009, Scott Barr <gsbarr@gmail.com>
# All rights reserved.
#
......
install/apps/xmpp_libs/auth_prosody/authenticate_isp.sh 0 → 100644
View file @ d204dbb9
#!/bin/bash
IFS=":"
AUTH_OK=1
AUTH_FAILED=0
LOGFILE="/var/log/prosody/auth.log"
USELOG=true
while read ACTION USER HOST PASS ; do
[ $USELOG == true ] && { echo "Date: $(date) Action: $ACTION User: $USER Host: $HOST" >> $LOGFILE; }
case $ACTION in
"auth")
if [ `/usr/bin/php /usr/local/lib/prosody/auth/db_auth.php $USER $HOST $PASS 2>/dev/null` == 1 ] ; then
echo $AUTH_OK
[ $USELOG == true ] && { echo "AUTH OK" >> $LOGFILE; }
else
echo $AUTH_FAILED
[ $USELOG == true ] && { echo "AUTH FAILED" >> $LOGFILE; }
fi
;;
"isuser")
if [ `/usr/bin/php /usr/local/lib/prosody/auth/db_isuser.php $USER $HOST 2>/dev/null` == 1 ] ; then
echo $AUTH_OK
[ $USELOG == true ] && { echo "ISUSER OK" >> $LOGFILE; }
else
echo $AUTH_FAILED
[ $USELOG == true ] && { echo "ISUSER FAILED" >> $LOGFILE; }
fi
;;
*)
echo $AUTH_FAILED
[ $USELOG == true ] && { echo "UNKNOWN ACTION GIVEN: $ACTION" >> $LOGFILE; }
;;
esac
done
install/apps/xmpp_libs/auth_prosody/prosody-purge 0 → 100644
View file @ d204dbb9
#!/usr/bin/php
<?php
define('DEBUG', true);
usage(count($argv) < 3 || count($argv) > 4);
$operation = $argv[1];
$host = $argv[2];
$configFile = file_get_contents('/etc/prosody/storage.cfg.lua');
preg_match_all('/(host|database|port|username|password) *= *"?([^"\n]*)"?;/', $configFile, $matches);
$config = array();
foreach($matches[1] AS $ix => $key) {
$config[$key] = $matches[2][$ix];
}
try {
// Connect to database
$db = new mysqli($config['host'], $config['username'], $config['password'], $config['database']);
switch($operation){
case 'user':
usage(count($argv) != 4);
$user = $argv[3];
do_query($db->prepare("DELETE FROM prosody WHERE user = ? AND host = ?"), $host, $user);
do_query($db->prepare("DELETE FROM prosodyarchive WHERE user = ? AND host = ?"), $host, $user);
break;
case 'domain':
do_query($db->prepare("DELETE FROM prosody WHERE host = ?"), $host);
do_query($db->prepare("DELETE FROM prosodyarchive WHERE host = ?"), $host);
do_query($db->prepare("DELETE FROM prosody WHERE host LIKE ?"), "%.$host");
do_query($db->prepare("DELETE FROM prosodyarchive WHERE host LIKE ?"), "%.$host");
break;
}
$db->close();
} catch (Exception $ex) {
var_dump($ex);
}
function do_query($query, $host, $user = false){
if($user !== false)
$query->bind_param('ss', $user, $host);
else
$query->bind_param('s', $host);
$query->execute();
$entries = $query->affected_rows;
$query->close();
if(DEBUG) echo "$entries deleted!\n";
return $entries;
}
function result_false($cond = true) {
if(!$cond) return;
exit(1);
}
function usage($cond = false){
if(!$cond) return;
echo "USAGE: \n prosody-purge domain my.domain.com \n prosody-purge user my.domain.com username \n";
result_false();
}
install/apps/xmpp_libs/mod_auth_external/db_auth.php 0 → 100644
View file @ d204dbb9
<?php
ini_set('display_errors', false);
require_once('db_conf.inc.php');
try{
// Connect database
$db = new mysqli($db_host, $db_user, $db_pass, $db_name);
result_false(mysqli_connect_errno());
// Get arguments
$arg_email = '';
$arg_password = '';
result_false(count($argv) != 4);
$arg_email = $argv[1].'@'.$argv[2];
$arg_password = $argv[3];
// check for existing user
$dbmail = $db->real_escape_string($arg_email);
$query = $db->prepare("SELECT jid, password FROM xmpp_user WHERE jid LIKE ? AND active='y' AND server_id=?");
$query->bind_param('si', $arg_email, $isp_server_id);
$query->execute();
$query->bind_result($jid, $password);
$query->fetch();
$query->close();
result_false(is_null($jid));
checkAuth($arg_password, $password);
}catch(Exception $ex){
echo 0;
exit();
}
function result_false($cond = true){
if(!$cond) return;
echo 0;
exit();
}
function result_true(){
echo 1;
exit();
}
function checkAuth($pw_arg, $pw_db){
if(crypt($pw_arg, $pw_db) == $pw_db)
result_true();
result_false();
}
?>
\ No newline at end of file
install/apps/xmpp_libs/mod_auth_external/db_conf.inc.php 0 → 100644
View file @ d204dbb9
<?php
$db_user = '{mysql_server_ispconfig_user}';
$db_pass = '{mysql_server_ispconfig_password}';
$db_name = '{mysql_server_database}';
$db_host = '{mysql_server_ip}';
$isp_server_id = '{server_id}';
\ No newline at end of file
install/apps/xmpp_libs/mod_auth_external/db_isuser.php 0 → 100644
View file @ d204dbb9
<?php
ini_set('display_errors', false);
require_once('db_conf.inc.php');
try{
// Connect database
$db = new mysqli($db_host, $db_user, $db_pass, $db_name);
result_false(mysqli_connect_errno());
// Get arguments
$arg_email = '';
result_false(count($argv) != 3);
$arg_email = $argv[1].'@'.$argv[2];
// check for existing user
$dbmail = $db->real_escape_string($arg_email);
$query = $db->prepare("SELECT count(*) AS usercount FROM xmpp_user WHERE jid LIKE ? AND active='y' AND server_id=?");
$query->bind_param('si', $arg_email, $isp_server_id);
$query->execute();
$query->bind_result($usercount);
$query->fetch();
$query->close();
result_false($usercount != 1);
result_true();
}catch(Exception $ex){
echo 0;
exit();
}
function result_false($cond = true){
if(!$cond) return;
echo 0;
exit();
}
function result_true(){
echo 1;
exit();
}
?>
install/dist/conf/debian60.conf.php
View file @ d204dbb9
......@@ -227,8 +227,17 @@ $conf['cron']['crontab_dir'] = '/etc/cron.d';
$conf['cron']['wget'] = '/usr/bin/wget';
//* Metronome XMPP
$conf['xmpp']['installed'] = false;