...
 
Commits (705)

Too many changes to show.

To preserve performance only 1000 of 1000+ files are displayed.

.DS_Store
/nbproject/private/
.phplint-cache
# Defines stages which are to be executed
stages:
- syntax
#
### Stage syntax
#
syntax:lint:
stage: syntax
image: bobey/docker-gitlab-ci-runner-php7
allow_failure: false
only:
- schedules
- web
script:
- composer require overtrue/phplint
- echo "Syntax checking PHP files"
- echo "For more information http://www.icosaedro.it/phplint/"
- vendor/bin/phplint
path: ./
jobs: 10
cache: .phplint-cache
extensions:
- php
- lng
exclude:
- vendor
# ISPConfig - Hosting Control Panel
Nightly (master): [![pipeline status](https://git.ispconfig.org/ispconfig/ispconfig3/badges/master/pipeline.svg)](https://git.ispconfig.org/ispconfig/ispconfig3/commits/master)
Stable branch: [![pipeline status](https://git.ispconfig.org/ispconfig/ispconfig3/badges/stable-3.1/pipeline.svg)](https://git.ispconfig.org/ispconfig/ispconfig3/commits/stable-3.1)
- Manage multiple servers from one control panel
- Web server management (Apache2 and nginx)
- Mail server management (with virtual mail users)
......
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
This folder contains examples for further ISPC hardening (done by NwSEC)
Currently, these are:
anti-bruteforce WordPress Login Anti-Bruteforce via fail2ban
postfix-ldap Query for valid recipients via LDAP in a transparent
setup routing mails e.g. to the internal server
All these examples have been productively tested and implemented on various
Debian/GNU Linux based systems.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
\ No newline at end of file
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
This is an example to block WordPress Login Bruteforce Attacks. Further
description can also be found @ https://blog.nwsec.de/wordpress/?p=1112
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
\ No newline at end of file
#
# This goes into (or at the end of) /etc/fail2ban/jail.local
#
[wp-auth]
enabled = true
filter = wp-auth
action = iptables-multiport[name=wp-auth, port="http,https"]
logpath = /var/log/ispconfig/httpd/*/*.log
bantime = 1200
maxretry = 5
#
# This goes into /etc/fail2ban/filter.d/wp-auth.conf
#
[Definition]
failregex = ^<HOST> .* "POST /wp-login.php
\ No newline at end of file
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
If mails get transparently forwarded to another mailserver, a mechanism to block
mail for invalid recipients makes sense, and drastically increaes the well-known
backscatter problem.
LDAP queries are used to check for valid recipients, and forwards the mail, if
an entry for the user is found.
For this to work, on Debian/GNU Linux, you also have to install postfix-ldap by
apt install postfix-ldap
Further information can be found @ https://blog.nwsec.de/wordpress/?p=1031
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
\ No newline at end of file
#
# This goes into /etc/postfix/main.cf in the section relay_recipient_maps
#
relay_recipient_maps = hash:/etc/postfix/relay_recipients, ldap:/etc/postfix/ldap-aliases.cf
\ No newline at end of file
server_host = x.x.x.x
search_base = ou=xxx, dc=xxx, dc=xx
version = 3
timeout = 10
leaf_result_attribute = mail
bind_dn = user@domain
bind_pw = userpassword
query_filter = (mail=%s)
result_attribute = mail, addressToForward
\ No newline at end of file
......@@ -31,11 +31,28 @@ while($row2 = mysql_fetch_array($sql2))
{
$file2=$row2['data'];
}
//
// Fix for 'domain.ext.' apex notation
//
$record_name_end=substr($row2['name'], -1);
if ($record_name_end==".")
{
// remove trailing dot from apex
$record_name = substr($row2['name'], 0, strlen($row2['name'])-1);
}
else
{
// add domain to make it a fqdn
$record_name = $row2['name'] . "." . $row3['origin'];
}
print "$row2[name].$row3[origin]" . " $record_name\r\n";
mysql_select_db("dbispconfig");
$sql3 = mysql_query("SELECT substr(origin,1, LENGTH(origin)-1) AS origin FROM dns_soa where id=$row2[zone];");
$row3 = mysql_fetch_array($sql3);
mysql_select_db("powerdns");
mysql_query("INSERT INTO records (domain_id,name,content,ispconfig_id,type,ttl,prio,change_date) values ('$row2[zone]','$row2[name].$row3[origin]','$file2','$row2[id]','$row2[type]','$row2[ttl]','$row2[aux]','1260446221');");
mysql_query("INSERT INTO records (domain_id,name,content,ispconfig_id,type,ttl,prio,change_date) values ('$row2[zone]','$record_name','$file2','$row2[id]','$row2[type]','$row2[ttl]','$row2[aux]','1260446221');");
}
else
{
......
--- amavisd-new.orig 2017-11-16 11:51:19.000000000 +0100
+++ amavisd-new 2018-05-25 16:53:45.623398108 +0200
@@ -22829,6 +22829,7 @@
}
# load policy banks from the 'client_ipaddr_policy' lookup
Amavis::load_policy_bank($_,$msginfo) for @bank_names_cl;
+ $msginfo->originating(c('originating'));
$msginfo->client_addr($cl_ip); # ADDR
$msginfo->client_port($cl_port); # PORT
@@ -34361,6 +34362,7 @@
$sig_ind++;
}
Amavis::load_policy_bank($_,$msginfo) for @bank_names;
+ $msginfo->originating(c('originating'));
$msginfo->dkim_signatures_valid(\@signatures_valid) if @signatures_valid;
# if (ll(5) && $sig_ind > 0) {
# # show which header fields are covered by which signature
#!/bin/bash
# this is a bash script library to be called by other scripts,
# but not to be run directly
# Copyright (c) 2009, Scott Barr <gsbarr@gmail.com>
# All rights reserved.
#
......
#!/bin/bash
IFS=":"
AUTH_OK=1
AUTH_FAILED=0
LOGFILE="/var/log/prosody/auth.log"
USELOG=true
while read ACTION USER HOST PASS ; do
[ $USELOG == true ] && { echo "Date: $(date) Action: $ACTION User: $USER Host: $HOST" >> $LOGFILE; }
case $ACTION in
"auth")
if [ `/usr/bin/php /usr/local/lib/prosody/auth/db_auth.php $USER $HOST $PASS 2>/dev/null` == 1 ] ; then
echo $AUTH_OK
[ $USELOG == true ] && { echo "AUTH OK" >> $LOGFILE; }
else
echo $AUTH_FAILED
[ $USELOG == true ] && { echo "AUTH FAILED" >> $LOGFILE; }
fi
;;
"isuser")
if [ `/usr/bin/php /usr/local/lib/prosody/auth/db_isuser.php $USER $HOST 2>/dev/null` == 1 ] ; then
echo $AUTH_OK
[ $USELOG == true ] && { echo "ISUSER OK" >> $LOGFILE; }
else
echo $AUTH_FAILED
[ $USELOG == true ] && { echo "ISUSER FAILED" >> $LOGFILE; }
fi
;;
*)
echo $AUTH_FAILED
[ $USELOG == true ] && { echo "UNKNOWN ACTION GIVEN: $ACTION" >> $LOGFILE; }
;;
esac
done
#!/usr/bin/php
<?php
define('DEBUG', true);
usage(count($argv) < 3 || count($argv) > 4);
$operation = $argv[1];
$host = $argv[2];
$configFile = file_get_contents('/etc/prosody/storage.cfg.lua');
preg_match_all('/(host|database|port|username|password) *= *"?([^"\n]*)"?;/', $configFile, $matches);
$config = array();
foreach($matches[1] AS $ix => $key) {
$config[$key] = $matches[2][$ix];
}
try {
// Connect to database
$db = new mysqli($config['host'], $config['username'], $config['password'], $config['database']);
switch($operation){
case 'user':
usage(count($argv) != 4);
$user = $argv[3];
do_query($db->prepare("DELETE FROM prosody WHERE user = ? AND host = ?"), $host, $user);
do_query($db->prepare("DELETE FROM prosodyarchive WHERE user = ? AND host = ?"), $host, $user);
break;
case 'domain':
do_query($db->prepare("DELETE FROM prosody WHERE host = ?"), $host);
do_query($db->prepare("DELETE FROM prosodyarchive WHERE host = ?"), $host);
do_query($db->prepare("DELETE FROM prosody WHERE host LIKE ?"), "%.$host");
do_query($db->prepare("DELETE FROM prosodyarchive WHERE host LIKE ?"), "%.$host");
break;
}
$db->close();
} catch (Exception $ex) {
var_dump($ex);
}
function do_query($query, $host, $user = false){
if($user !== false)
$query->bind_param('ss', $user, $host);
else
$query->bind_param('s', $host);
$query->execute();
$entries = $query->affected_rows;
$query->close();
if(DEBUG) echo "$entries deleted!\n";
return $entries;
}
function result_false($cond = true) {
if(!$cond) return;
exit(1);
}
function usage($cond = false){
if(!$cond) return;
echo "USAGE: \n prosody-purge domain my.domain.com \n prosody-purge user my.domain.com username \n";
result_false();
}
<?php
ini_set('display_errors', false);
require_once('db_conf.inc.php');
try{
// Connect database
$db = new mysqli($db_host, $db_user, $db_pass, $db_name);
result_false(mysqli_connect_errno());
// Get arguments
$arg_email = '';
$arg_password = '';
result_false(count($argv) != 4);
$arg_email = $argv[1].'@'.$argv[2];
$arg_password = $argv[3];
// check for existing user
$dbmail = $db->real_escape_string($arg_email);
$query = $db->prepare("SELECT jid, password FROM xmpp_user WHERE jid LIKE ? AND active='y' AND server_id=?");
$query->bind_param('si', $arg_email, $isp_server_id);
$query->execute();
$query->bind_result($jid, $password);
$query->fetch();
$query->close();
result_false(is_null($jid));
checkAuth($arg_password, $password);
}catch(Exception $ex){
echo 0;
exit();
}
function result_false($cond = true){
if(!$cond) return;
echo 0;
exit();
}
function result_true(){
echo 1;
exit();
}
function checkAuth($pw_arg, $pw_db){
if(crypt($pw_arg, $pw_db) == $pw_db)
result_true();
result_false();
}
?>
\ No newline at end of file
<?php
$db_user = '{mysql_server_ispconfig_user}';
$db_pass = '{mysql_server_ispconfig_password}';
$db_name = '{mysql_server_database}';
$db_host = '{mysql_server_ip}';
$isp_server_id = '{server_id}';
\ No newline at end of file
<?php
ini_set('display_errors', false);
require_once('db_conf.inc.php');
try{
// Connect database
$db = new mysqli($db_host, $db_user, $db_pass, $db_name);
result_false(mysqli_connect_errno());
// Get arguments
$arg_email = '';
result_false(count($argv) != 3);
$arg_email = $argv[1].'@'.$argv[2];
// check for existing user
$dbmail = $db->real_escape_string($arg_email);
$query = $db->prepare("SELECT count(*) AS usercount FROM xmpp_user WHERE jid LIKE ? AND active='y' AND server_id=?");
$query->bind_param('si', $arg_email, $isp_server_id);
$query->execute();
$query->bind_result($usercount);
$query->fetch();
$query->close();
result_false($usercount != 1);
result_true();
}catch(Exception $ex){
echo 0;
exit();
}
function result_false($cond = true){
if(!$cond) return;
echo 0;
exit();
}
function result_true(){
echo 1;
exit();
}
?>