From 94afc1525e7d959747bae5623f438843ab1edae8 Mon Sep 17 00:00:00 2001 From: Valentin Vidic Date: Wed, 28 Sep 2011 16:43:44 +0200 Subject: [PATCH] Update restore files. --- files/etc/monit/monitrc.restore | 103 ++++++++++++++++---------------- files/etc/monit/monitrc.template | 2 +- files/etc/ntp.conf.expect | 44 ++++++++------ files/etc/ntp.conf.restore | 44 ++++++++------ files/etc/security/limits.conf.expect | 6 +- files/etc/security/limits.conf.restore | 6 +- files/etc/sysctl.conf.expect | 16 +++-- files/etc/sysctl.conf.restore | 49 +++++++++++++-- 8 files changed, 171 insertions(+), 99 deletions(-) diff --git a/files/etc/monit/monitrc.restore b/files/etc/monit/monitrc.restore index ecd096d..4a5dacc 100644 --- a/files/etc/monit/monitrc.restore +++ b/files/etc/monit/monitrc.restore @@ -5,43 +5,43 @@ ## Comments begin with a '#' and extend through the end of the line. Keywords ## are case insensitive. All path's MUST BE FULLY QUALIFIED, starting with '/'. ## -## Bellow is the example of some frequently used statements. For information -## about the control file, a complete list of statements and options please -## have a look in the monit manual. +## Below you will find examples of some frequently used statements. For +## information about the control file, a complete list of statements and +## options please have a look in the monit manual. ## ## ############################################################################### ## Global section ############################################################################### ## -## Start monit in background (run as daemon) and check the services at 2-minute -## intervals. +## Start monit in the background (run as a daemon) and check services at +## 2-minute intervals. # # set daemon 120 # # ## Set syslog logging with the 'daemon' facility. If the FACILITY option is -## omited, monit will use 'user' facility by default. You can specify the -## path to the file for monit native logging. +## omitted, monit will use 'user' facility by default. If you want to log to +## a stand alone log file instead, specify the path to a log file # -# set logfile syslog facility log_daemon +# set logfile syslog facility log_daemon # # -## Set list of mailservers for alert delivery. Multiple servers may be -## specified using comma separator. By default monit uses port 25 - it is -## possible to override it with the PORT option. +## Set the list of mail servers for alert delivery. Multiple servers may be +## specified using comma separator. By default monit uses port 25 - this +## is possible to override with the PORT option. # # set mailserver mail.bar.baz, # primary mailserver # backup.bar.baz port 10025, # backup mailserver on port 10025 # localhost # fallback relay # # -## By default monit will drop the event alert, in the case that there is no -## mailserver available. In the case that you want to keep the events for -## later delivery retry, you can use the EVENTQUEUE statement. The base -## directory where undelivered events will be stored is specified by the -## BASEDIR option. You can limit the maximal queue size using the SLOTS -## option (if omited then the queue is limited just by the backend filesystem). +## By default monit will drop alert events if no mail servers are available. +## If you want to keep the alerts for a later delivery retry, you can use the +## EVENTQUEUE statement. The base directory where undelivered alerts will be +## stored is specified by the BASEDIR option. You can limit the maximal queue +## size using the SLOTS option (if omitted, the queue is limited by space +## available in the back end filesystem). # # set eventqueue # basedir /var/monit # set the base directory where events will be stored @@ -65,24 +65,25 @@ ## monit # ## --8<-- ## -## You can override the alert message format or its parts such as subject +## You can override this message format or parts of it, such as subject ## or sender using the MAIL-FORMAT statement. Macros such as $DATE, etc. -## are expanded on runtime. For example to override the sender: +## are expanded at runtime. For example, to override the sender: # # set mail-format { from: monit@foo.bar } # # -## You can set the alert recipients here, which will receive the alert for -## each service. The event alerts may be restricted using the list. +## You can set alert recipients here whom will receive alerts if/when a +## service defined in this file has errors. Alerts may be restricted on +## events by using a filter as in the second example below. # # set alert sysadm@foo.bar # receive all alerts # set alert manager@foo.bar only on { timeout } # receive just service- # # timeout alert # # -## Monit has an embedded webserver, which can be used to view the -## configuration, actual services parameters or manage the services using the -## web interface. +## Monit has an embedded web server which can be used to view status of +## services monitored, the current configuration, actual services parameters +## and manage services from a web interface. # # set httpd port 2812 and # use address localhost # only accept connection from localhost @@ -94,9 +95,9 @@ ## Services ############################################################################### ## -## Check the general system resources such as load average, cpu and memory -## usage. Each rule specifies the tested resource, the limit and the action -## which will be performed in the case that the test failed. +## Check general system resources such as load average, cpu and memory +## usage. Each test specifies a resource, conditions and the action to be +## performed should a test fail. # # check system myhost.mydomain.tld # if loadavg (1min) > 4 then alert @@ -108,8 +109,9 @@ # # ## Check a file for existence, checksum, permissions, uid and gid. In addition -## to the recipients in the global section, customized alert will be send to -## the additional recipient. The service may be grouped using the GROUP option. +## to alert recipients in the global section, customized alert will be sent to +## additional recipients by specifying a local alert handler. The service may +## be grouped using the GROUP option. # # check file apache_bin with path /usr/local/apache/bin/httpd # if failed checksum and @@ -123,13 +125,13 @@ # group server # # -## Check that a process is running, responding on the HTTP and HTTPS request, -## check its resource usage such as cpu and memory, number of childrens. -## In the case that the process is not running, monit will restart it by -## default. In the case that the service was restarted very often and the -## problem remains, it is possible to disable the monitoring using the -## TIMEOUT statement. The service depends on another service (apache_bin) which -## is defined in the monit control file as well. +## Check that a process is running, in this case Apache, and that it respond +## to HTTP and HTTPS requests. Check its resource usage such as cpu and memory, +## and number of children. If the process is not running, monit will restart +## it by default. In case the service was restarted very often and the +## problem remains, it is possible to disable monitoring using the TIMEOUT +## statement. This service depends on another service (apache_bin) which +## is defined above. # # check process apache with pidfile /usr/local/apache/logs/httpd.pid # start program = "/etc/init.d/httpd start" @@ -150,10 +152,10 @@ # group server # # -## Check the device permissions, uid, gid, space and inode usage. Other -## services such as databases may depend on this resource and automatical -## graceful stop may be cascaded to them before the filesystem will become -## full and the data will be lost. +## Check device permissions, uid, gid, space and inode usage. Other services, +## such as databases, may depend on this resource and an automatically graceful +## stop may be cascaded to them before the filesystem will become full and data +## lost. # # check device datafs with path /dev/sdb1 # start program = "/bin/mount /data" @@ -168,9 +170,9 @@ # group server # # -## Check a file's timestamp: when it becomes older then 15 minutes, the -## file is not updated and something is wrong. In the case that the size -## of the file exceeded given limit, perform the script. +## Check a file's timestamp. In this example, we test if a file is older +## than 15 minutes and assume something is wrong if its not updated. Also, +## if the file size exceed a given limit, execute a script # # check file database with path /data/mydatabase.db # if failed permission 700 then alert @@ -180,10 +182,9 @@ # if size > 100 MB then exec "/my/cleanup/script" # # -## Check the directory permission, uid and gid. An event is triggered -## if the directory does not belong to the user with the uid 0 and -## the gid 0. In the addition the permissions have to match the octal -## description of 755 (see chmod(1)). +## Check directory permission, uid and gid. An event is triggered if the +## directory does not belong to the user with uid 0 and gid 0. In addition, +## the permissions have to match the octal description of 755 (see chmod(1)). # # check directory bin with path /bin # if failed permission 755 then unmonitor @@ -191,9 +192,9 @@ # if failed gid 0 then unmonitor # # -## Check the remote host network services availability and the response -## content. One of three pings, a successfull connection to a port and -## application level network check is performed. +## Check a remote host network services availability using a ping test and +## check response content from a web server. Up to three pings are sent and +## connection to a port and a application level network check is performed. # # check host myserver with address 192.168.1.1 # if failed icmp type echo count 3 with timeout 3 seconds then alert @@ -208,7 +209,7 @@ ## Includes ############################################################################### ## -## It is possible to include the configuration or its parts from other files or +## It is possible to include additional configuration parts from other files or ## directories. # # include /etc/monit.d/* diff --git a/files/etc/monit/monitrc.template b/files/etc/monit/monitrc.template index baf3fc9..7f9fe71 100644 --- a/files/etc/monit/monitrc.template +++ b/files/etc/monit/monitrc.template @@ -9,7 +9,7 @@ set mail-format { message: monit $ACTION $SERVICE at $DATE on $HOST } set mailserver 127.0.0.1 -set alert root@localhost only on { uid, gid, size, nonexist, data, icmp, instance, invalid, exec, timeout, resource, checksum, match, timestamp, connection, permission } +set alert root@lenny-amd64.local only on { uid, gid, size, nonexist, data, icmp, instance, invalid, exec, timeout, resource, checksum, match, timestamp, connection, permission } #set httpd port 2812 and use address 127.0.0.1 #allow localhost diff --git a/files/etc/ntp.conf.expect b/files/etc/ntp.conf.expect index 306b941..e40aa13 100644 --- a/files/etc/ntp.conf.expect +++ b/files/etc/ntp.conf.expect @@ -1,7 +1,10 @@ -# /etc/ntp.conf, configuration for ntpd +# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help driftfile /var/lib/ntp/ntp.drift -statsdir /var/log/ntpstats/ + + +# Enable this if you want statistics to be logged. +#statsdir /var/log/ntpstats/ statistics loopstats peerstats clockstats filegen loopstats file loopstats type day enable @@ -16,17 +19,24 @@ server zg2.ntp.carnet.hr server st.ntp.carnet.hr server os.ntp.carnet.hr -# pool.ntp.org maps to more than 300 low-stratum NTP servers. -# Your server will pick a different set every time it starts up. -# *** Please consider joining the pool! *** -# *** *** -#server 0.debian.pool.ntp.org iburst -#server 1.debian.pool.ntp.org iburst -#server 2.debian.pool.ntp.org iburst -#server 3.debian.pool.ntp.org iburst +# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will +# pick a different set every time it starts up. Please consider joining the +# pool: +#server 0.debian.pool.ntp.org iburst dynamic +#server 1.debian.pool.ntp.org iburst dynamic +#server 2.debian.pool.ntp.org iburst dynamic +#server 3.debian.pool.ntp.org iburst dynamic + + +# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for +# details. The web page +# might also be helpful. +# +# Note that "restrict" applies to both servers and clients, so a configuration +# that might be intended to block requests from certain clients could also end +# up blocking replies from your own upstream servers. # By default, exchange time with everybody, but don't allow configuration. -# See /usr/share/doc/ntp-doc/html/accopt.html for details. restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery @@ -34,16 +44,16 @@ restrict -6 default kod notrap nomodify nopeer noquery restrict 127.0.0.1 restrict ::1 -# Clients from this (example!) subnet have unlimited access, -# but only if cryptographically authenticated -#restrict 192.168.123.0 mask 255.255.255.0 notrust +# Clients from this (example!) subnet have unlimited access, but only if +# cryptographically authenticated. +#restrict 192.168.123.0 mask 255.255.255.0 notrust + # If you want to provide time to your local subnet, change the next line. # (Again, the address is an example only.) #broadcast 192.168.123.255 -# If you want to listen to time broadcasts on your local subnet, -# de-comment the next lines. Please do this only if you trust everybody -# on the network! +# If you want to listen to time broadcasts on your local subnet, de-comment the +# next lines. Please do this only if you trust everybody on the network! #disable auth #broadcastclient diff --git a/files/etc/ntp.conf.restore b/files/etc/ntp.conf.restore index de39178..39529f5 100644 --- a/files/etc/ntp.conf.restore +++ b/files/etc/ntp.conf.restore @@ -1,7 +1,10 @@ -# /etc/ntp.conf, configuration for ntpd +# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help driftfile /var/lib/ntp/ntp.drift -statsdir /var/log/ntpstats/ + + +# Enable this if you want statistics to be logged. +#statsdir /var/log/ntpstats/ statistics loopstats peerstats clockstats filegen loopstats file loopstats type day enable @@ -12,17 +15,24 @@ filegen clockstats file clockstats type day enable # You do need to talk to an NTP server or two (or three). #server ntp.your-provider.example -# pool.ntp.org maps to more than 300 low-stratum NTP servers. -# Your server will pick a different set every time it starts up. -# *** Please consider joining the pool! *** -# *** *** -server 0.debian.pool.ntp.org iburst -server 1.debian.pool.ntp.org iburst -server 2.debian.pool.ntp.org iburst -server 3.debian.pool.ntp.org iburst +# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will +# pick a different set every time it starts up. Please consider joining the +# pool: +server 0.debian.pool.ntp.org iburst dynamic +server 1.debian.pool.ntp.org iburst dynamic +server 2.debian.pool.ntp.org iburst dynamic +server 3.debian.pool.ntp.org iburst dynamic + + +# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for +# details. The web page +# might also be helpful. +# +# Note that "restrict" applies to both servers and clients, so a configuration +# that might be intended to block requests from certain clients could also end +# up blocking replies from your own upstream servers. # By default, exchange time with everybody, but don't allow configuration. -# See /usr/share/doc/ntp-doc/html/accopt.html for details. restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery @@ -30,16 +40,16 @@ restrict -6 default kod notrap nomodify nopeer noquery restrict 127.0.0.1 restrict ::1 -# Clients from this (example!) subnet have unlimited access, -# but only if cryptographically authenticated -#restrict 192.168.123.0 mask 255.255.255.0 notrust +# Clients from this (example!) subnet have unlimited access, but only if +# cryptographically authenticated. +#restrict 192.168.123.0 mask 255.255.255.0 notrust + # If you want to provide time to your local subnet, change the next line. # (Again, the address is an example only.) #broadcast 192.168.123.255 -# If you want to listen to time broadcasts on your local subnet, -# de-comment the next lines. Please do this only if you trust everybody -# on the network! +# If you want to listen to time broadcasts on your local subnet, de-comment the +# next lines. Please do this only if you trust everybody on the network! #disable auth #broadcastclient diff --git a/files/etc/security/limits.conf.expect b/files/etc/security/limits.conf.expect index 070b19a..de0a011 100644 --- a/files/etc/security/limits.conf.expect +++ b/files/etc/security/limits.conf.expect @@ -26,15 +26,16 @@ # - stack - max stack size (KB) # - cpu - max CPU time (MIN) # - nproc - max number of processes -# - as - address space limit +# - as - address space limit (KB) # - maxlogins - max number of logins for this user # - maxsyslogins - max number of logins on the system # - priority - the priority to run user process with # - locks - max number of file locks the user can hold # - sigpending - max number of pending signals # - msgqueue - max memory used by POSIX message queues (bytes) -# - nice - max nice priority allowed to raise to +# - nice - max nice priority allowed to raise to values: [-20, 19] # - rtprio - max realtime priority +# - chroot - change root to directory (Debian-specific) # # # @@ -45,6 +46,7 @@ #@faculty soft nproc 20 #@faculty hard nproc 50 #ftp hard nproc 0 +#ftp - chroot /ftp #@student - maxlogins 4 # End of file diff --git a/files/etc/security/limits.conf.restore b/files/etc/security/limits.conf.restore index c52778b..9ab8ae2 100644 --- a/files/etc/security/limits.conf.restore +++ b/files/etc/security/limits.conf.restore @@ -26,15 +26,16 @@ # - stack - max stack size (KB) # - cpu - max CPU time (MIN) # - nproc - max number of processes -# - as - address space limit +# - as - address space limit (KB) # - maxlogins - max number of logins for this user # - maxsyslogins - max number of logins on the system # - priority - the priority to run user process with # - locks - max number of file locks the user can hold # - sigpending - max number of pending signals # - msgqueue - max memory used by POSIX message queues (bytes) -# - nice - max nice priority allowed to raise to +# - nice - max nice priority allowed to raise to values: [-20, 19] # - rtprio - max realtime priority +# - chroot - change root to directory (Debian-specific) # # # @@ -45,6 +46,7 @@ #@faculty soft nproc 20 #@faculty hard nproc 50 #ftp hard nproc 0 +#ftp - chroot /ftp #@student - maxlogins 4 # End of file diff --git a/files/etc/sysctl.conf.expect b/files/etc/sysctl.conf.expect index 179b791..14e08b0 100644 --- a/files/etc/sysctl.conf.expect +++ b/files/etc/sysctl.conf.expect @@ -4,11 +4,18 @@ # #kernel.domainname=example.com #kernel.printk=4 4 1 7 -#net.ipv4.conf.default.forwarding=1 +#net.ipv4.conf.all.accept_redirects=0 +#net.ipv4.conf.all.accept_source_route=0 +#net.ipv4.conf.all.log_martians=1 +#net.ipv4.conf.all.rp_filter=1 +#net.ipv4.conf.all.send_redirects=0 #net.ipv4.conf.default.rp_filter=1 #net.ipv4.icmp_echo_ignore_broadcasts=1 -#net.ipv6.conf.default.forwarding=1 -kernel.exec-shield=3 +#net.ipv4.icmp_ignore_bogus_error_responses=1 +#net.ipv4.ip_forward=1 +#net.ipv6.conf.all.accept_redirects=0 +#net.ipv6.conf.all.accept_source_route=0 +#net.ipv6.conf.all.forwarding=1 kernel.maps_protect=1 net.core.rmem_default=1048576 net.core.wmem_default=1048576 @@ -22,9 +29,8 @@ net.ipv4.icmp_echo_ignore_broadcasts=1 net.ipv4.icmp_ignore_bogus_error_responses=1 net.ipv4.ip_forward=0 net.ipv4.ip_local_port_range=10000 65000 -net.ipv4.tcp_congestion_control=cubic net.ipv4.tcp_ecn=0 -net.ipv4.tcp_max_syn_backlog=8192 +net.ipv4.tcp_max_syn_backlog=1024 net.ipv4.tcp_retries1=2 net.ipv4.tcp_rfc1337=1 net.ipv4.tcp_syncookies=1 diff --git a/files/etc/sysctl.conf.restore b/files/etc/sysctl.conf.restore index 971d612..6cd0aeb 100644 --- a/files/etc/sysctl.conf.restore +++ b/files/etc/sysctl.conf.restore @@ -1,10 +1,10 @@ # # /etc/sysctl.conf - Configuration file for setting system variables +# See /etc/sysctl.d/ for additonal system variables # See sysctl.conf (5) for information. # #kernel.domainname = example.com -#net/ipv4/icmp_echo_ignore_broadcasts=1 # Uncomment the following to stop low-level messages on console #kernel.printk = 4 4 1 7 @@ -13,14 +13,55 @@ # Functions previously found in netbase # -# Uncomment the next line to enable Spoof protection (reverse-path filter) +# Uncomment the next two lines to enable Spoof protection (reverse-path filter) +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks #net.ipv4.conf.default.rp_filter=1 +#net.ipv4.conf.all.rp_filter=1 # Uncomment the next line to enable TCP/IP SYN cookies +# This disables TCP Window Scaling (http://lkml.org/lkml/2008/2/5/167), +# and is not recommended. #net.ipv4.tcp_syncookies=1 # Uncomment the next line to enable packet forwarding for IPv4 -#net.ipv4.conf.default.forwarding=1 +#net.ipv4.ip_forward=1 # Uncomment the next line to enable packet forwarding for IPv6 -#net.ipv6.conf.default.forwarding=1 +#net.ipv6.conf.all.forwarding=1 + + +################################################################### +# Additional settings - these settings can improve the network +# security of the host and prevent against some network attacks +# including spoofing attacks and man in the middle attacks through +# redirection. Some network environments, however, require that these +# settings are disabled so review and enable them as needed. +# +# Ignore ICMP broadcasts +#net.ipv4.icmp_echo_ignore_broadcasts = 1 +# +# Ignore bogus ICMP errors +#net.ipv4.icmp_ignore_bogus_error_responses = 1 +# +# Do not accept ICMP redirects (prevent MITM attacks) +#net.ipv4.conf.all.accept_redirects = 0 +#net.ipv6.conf.all.accept_redirects = 0 +# _or_ +# Accept ICMP redirects only for gateways listed in our default +# gateway list (enabled by default) +# net.ipv4.conf.all.secure_redirects = 1 +# +# Do not send ICMP redirects (we are not a router) +#net.ipv4.conf.all.send_redirects = 0 +# +# Do not accept IP source route packets (we are not a router) +#net.ipv4.conf.all.accept_source_route = 0 +#net.ipv6.conf.all.accept_source_route = 0 +# +# Log Martian Packets +#net.ipv4.conf.all.log_martians = 1 +# +# The contents of /proc//maps and smaps files are only visible to +# readers that are allowed to ptrace() the process +# kernel.maps_protect = 1 -- 1.7.10.4