initial commit

This commit is contained in:
deflax 2017-09-15 21:11:31 +03:00
commit d30dd2fc84
25 changed files with 2042 additions and 0 deletions

250
Oracle Siebel 15.0.txt Normal file
View file

@ -0,0 +1,250 @@
Siebel HOST: SIEBELHOST
- install telnet
- install iis
- install jre-8u71-windows-x64
0. Prepare Siebel Install Image using snic.bat from the zips.
java -jar snic.jar also works
1. Install 64bit Oracle Database 11g.
global database name:SIEBELDB
db administrative pass:SiebelDb1password1
The Database Control URL is https://localhost:1158/em
user: SYS
connect as: SYSDBA
create tablespaces:
size 5GB
SBLDATA
SBLDATA01.DBF
SBLINDX
SBLINDX01.DBF
2. Install 32bit Oracle Database 11g Client
Type: Administrator
Place tnsnames.ora into C:\Oracle\product\11.2.0\client_1\network\admin
tnsnames.ora contents:
SIEBELDB =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = SIEBELDB)
)
)
3. Create Users (based on oracle grantusr.sql)
cmd.exe
sqlplus sys@siebeldb as sysdba
create role sse_role;
grant create session to sse_role;
create role tblo_role;
grant ALTER SESSION, CREATE CLUSTER, CREATE DATABASE LINK, CREATE INDEXTYPE,
CREATE OPERATOR, CREATE PROCEDURE, CREATE SEQUENCE, CREATE SESSION,
CREATE SYNONYM, CREATE TABLE, CREATE TRIGGER, CREATE TYPE, CREATE VIEW,
CREATE DIMENSION, CREATE MATERIALIZED VIEW, QUERY REWRITE, ON COMMIT REFRESH
to tblo_role;
create user SIEBEL identified by sadmin1password1;
grant tblo_role to SIEBEL;
grant sse_role to SIEBEL;
alter user SIEBEL quota 0 on SYSTEM quota 0 on SYSAUX;
alter user SIEBEL default tablespace SBLDATA;
alter user SIEBEL temporary tablespace temp;
alter user SIEBEL quota unlimited on SBLDATA;
alter user SIEBEL quota unlimited on SBLINDX;
create user SADMIN identified by sadmin1password1;
grant sse_role to SADMIN;
alter user SADMIN default tablespace sbldata;
alter user SADMIN temporary tablespace temp;
alter user SADMIN quota unlimited on SBLDATA;
alter user SADMIN quota unlimited on SBLINDX;
----
4. INSTALL SIEBEL SERVER from Network Image. General Config:
Oracle Home Name: SES_HOME
Location: c:\Siebel\15.0.0.0.0\ses
-gateway name server
-siebel server
-database configuration utilities
Program folder name: Siebel Enterprise Server 15.0.0.0.0
5. SIEBEL ENTERPRISE CONFIGURATION
5.1. Install new gateway name
5.2. Install new enterprise in a gateway name server:
Gateway Name server port: 2320
name server account name: SADMIN
pass: sadmin1password1
enterprise name: SBA_82
Siebel File system: C:\Siebel\15.0.0.0.0\ses\gtwysrvr\fs
database table owner: SIEBEL
sqlnet connect string: SIEBELDB
user name: SADMIN
pass: sadmin1password1
6. DATABASE SERVER CONFIGURATION
Make desktop shortcut to C:\Windows\SysWOW64\odbcad32.exe
run as admin and get ODBC Data Source Name: SBA_82_DSN
db username: SADMIN
pass: sadmin1password1
db table owner: SIEBEL
pass: sadmin1password1
index tables space name: SBLINDX
table space name: SBLDATA
Wait 3 hours max.
Check Program Files\Oracle\Inventory\logs for errors
7. SIEBEL SERVER CONFIGURATION
gateway login: SADMIN
Enable Open UI -> NO.
Component Groups:
-CallCenter
-Remote
-ORCL
-WorkFlow
-Communications
broker port: 2321
tcp/ip for syncronization manager: 40400
8. SIEBEL ENTERPRISE CONFIGURATION - SWSE Profile
Enterprise Name: SBA_82
Path: C:\Siebel\15.0.0.0.0\ses\gtwysrvr\admin\Webserver
HI Employee User: SIEBANON
HI pass: siebanon123
SI contact user: SIEBANON
pass: siebanon123c
token: 615 112 419 907 (spaces are just for readability here)
statistic page: _stats.swe
http port: 8080
https port: 8443
9. POPULATE THE FS DIR:
Copy all files from C:\Siebel\15.0.0.0.0\ses\dbsrvr\FILES
to: C:\Siebel\15.0.0.0.0\ses\gtwysrvr\fs\att
10. INSTALL SIEBEL WEB SERVER EXTENSION
C:\Siebel_Install_Image\15.0.0.0\Windows\Server\Siebel_Web_Server_Extension\Disk1\install
swse seed: 612 451 241 125 121 (again spaces are for readability)
11. Siebel Web Server Extension Configuration
Load balancing: Single Siebel Server
profile location : C:\Siebel\15.0.0.0.0\ses\gtwysrvr\admin\Webserver
12. Fix Permission
Go to C:\Siebel\15.0.0.0.0\eappweb
Right click properties -> sharing -> advanced sharing.
share this folder.
permissions -> add -> advanced -> find and add:
IUSR
IIS_IUSRS
with full permissions.
13. Setup ISS
cmd.exe ->
iisreset
14. INSTALL WEB CLIENT:
C:\Siebel_Install_Image\15.0.0.0\Windows\Client\Siebel_Web_Client\Disk1\install
start setup.bat
name: CLIENT_HOME
path: C:\Siebel\15.0.0.0.0\Client
select: developer web client
enable openui: no
db alias: SIEBELDB
owner: SIEBEL
siebel FS: C:\SIEBEL_FS
gateway addr: SIEBELHOST
enterprise: SBA_82
request: SIEBELHOST
15. Install Siebel Tools:
C:\Siebel_Install_Image\15.0.0.0\Windows\Client\Siebel_Tools\Disk1\install
start setup.bat
home: TOOLS_HOME
c:\Siebel\15.0.0.0.0\Tools
db alias: SIEBELDB
owner: SIEBEL
siebel FS: C:\SIEBEL_FS
gateway addr: SIEBELHOST
enterprise: SBA_82
installation spawns C:\Siebel\15.0.0.0.0\Client\PUBLIC\enu\predeploy.htm
unblock active x on your IE
16. Web Access
login using the start menu shortcuts is:
userid: SADMIN
pass: sadmin1password1
connect to: Server
add http://siebelhost:8080 to trusted sites
(http://siebelhost.crm.example.com:8080/start.swe should also be trusted in my case...)
and in internet tools setup low security profile to start activex controls automatically
17. Setup anon user:
Go to Site map -> Administration User -> Employees
click New and add:
Last Name: SIEBANON
First Name: SIEBANON
User ID: SIEBANON
Position: Siebel Administrator (?)
Ctrl+S to save.
cmd.exe -> sqlplus sys@siebeldb as sysdba
create user SIEBANON identified by siebanon123;
grant sse_role to SIEBANON;
exit
iisreset

1
README.md Normal file
View file

@ -0,0 +1 @@
A collection of files I have used for various tasks.

116
Redundant-BGP.txt Normal file
View file

@ -0,0 +1,116 @@
Redundant BGP with 2 ISPs, VRRP and Bird.
/etc/sysctl.conf:
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.lo.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.eth1.rp_filter=1
net.ipv4.ip_forward=1
net.ipv4.conf.default.forwarding=1
net.ipv4.conf.all.forwarding=1
my as = 2000
as 321 as2000 as 123
ebgp ibgp ebgp
isp2 ------> RT2 <------> RT1 <------ isp1
| .22 .21 |
eth0 . eth1 | eth0
. |
^
vrrp .1
/etc/keepalived/keepalived.conf:
vrrp_instance VI_1 {
state MASTER
#state BACKUP #RT2
interface eth1 #interconnect
virtual_router_id 51
priority 100
#priority 150 #RT2
advert_int 1
authentication {
auth_type PASS
auth_pass <CHANGEME>
}
virtual_ipaddress {
x.x.x.1 dev eth1
}
#notify /script.sh #misc
}
/etc/bird/bird.conf:
log syslog { debug, trace, info, remote, warning, error, auth, fatal, bug };
#log stderr all;
#log "tmp" all;
debug protocols all;
# Router ID
router id x.x.x.21;
#router id x.x.x.22; #RT2
protocol kernel RT1 {
learn; # Learn all alien routes from the kernel
persist; # Don't remove routes on bird shutdown
scan time 0; # Scan kernel routing table every 20 seconds, 0 disables the scanning and only netlink is used to send/receive kernel routes
import all; # Default is import all
export all; # Default is export none
device routes;
graceful restart;
}
protocol device {
scan time 60;
}
protocol static {
route x.x.x.0/24 via x.x.x.1;
}
# Import all directly connected routes. These come in with RTS_DEVICE
protocol direct evrdirect {
interface "*";
export all;
}
filter bgp_out
{
#dont poison the ISPs with anything else except your prefix
if net = x.x.x.0/24 then accept;
else reject;
}
protocol bgp RT1 {
local as 2000;
neighbor x.x.x.22 as 2000; # iBGP peering
#neighbor x.x.x.x.21 as 2000; on RT2
keepalive time 5;
graceful restart;
import all;
export all;
preference 50; # highest preference "wins".
direct;
gateway direct;
}
protocol bgp MAIN {
local as 2000;
neighbor y.y.y.y as 123;
#neighbor z.z.z.z as 321; on RT1
keepalive time 5;
graceful restart;
import all;
export filter bgp_out;
hold time 30;
preference 100;
}

View file

@ -0,0 +1,17 @@
some tips i've found in stack overflow. could be useful:
fix symbolic links:
cd c:\windows\system32
mklink /d ora112 c:\Oracle\product\11.2.0\dbhome_1
cd c:\Windows\sysWOW64
mklink /d ora112 c:\Oracle\product\11.2.0\client_1
PATH=C:\windows\System32\ora112\bin;C:\ProgramData\Oracle\Java\javapath;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn\;C:\Program Files\Microsoft SQL Server\100\Tools\Binn\;C:\Program Files\Microsoft SQL Server\100\DTS\Binn\;C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\;C:\Program Files (x86)\Microsoft Visual Studio 9.0\Common7\IDE\PrivateAssemblies\;C:\Program Files (x86)\Microsoft SQL Server\100\DTS\Binn\;C:\Program Files\Microsoft\Web Platform Installer\;C:\Program Files (x86)\Microsoft ASP.NET\ASP.NET Web Pages\v1.0\;C:\Program Files\Microsoft SQL Server\110\Tools\Binn\
ORACLE_HOME=c:\windows\system32\ora112
Set Registry value HKLM\Software\ORACLE\KEY_OraClient11g_home1\ORACLE_HOME to:
C:\Windows\System32\ora112
Set Registry value HKLM\Software\Wow6432Node\ORACLE\KEY_OraClient11g_home1\ORACLE_HOME to:
C:\Windows\System32\ora112 (not C:\Windows\SysWOW64\System32\ora112)

138
configs/.tmux.conf Normal file
View file

@ -0,0 +1,138 @@
# afx .tmux.conf 2017
# unbind all does not recover the default binds but we can list them
# and fill the 'gaps' with manual rebind in the conf file using this command:
# tmux -f /dev/null -L temp start-server \; list-keys
unbind-key -a
set-option -g prefix F2 # ctrl+b => F2
#bind-key a send-key M-a # alt+a = alt+a+a
bind-key Left send-key M-Left
bind-key Right send-key M-Right
#set tab names
set-window-option -g automatic-rename on
set-option -g set-titles on
set -g base-index 1 #0 is too far from ` ;)
set -g status-keys vi
set -g history-limit 10000
set -sg escape-time 0 #No delay for escape key press
set -g terminal-overrides "screen.xterm-new" #disable italic in searches
setw -g mode-keys vi
#setw -g mode-mouse off #tmux 1.9
#set-option -g mouse on #tmux 2.1
bind-key r source-file ~/.tmux.conf
bind-key R refresh-client
bind-key : command-prompt
bind-key c new-window
bind-key w list-window
bind-key Space next-layout
bind-key d detach
bind-key t clock-mode
bind-key n command-prompt 'rename-window %%'
bind-key x confirm-before -p "kill-pane #W? (y/n)" kill-pane
bind-key X confirm-before -p "kill-window #W? (y/n)" kill-window
bind-key N command-prompt 'rename-session %%'
bind-key f command-prompt "find-window '%%'"
bind-key i display-message
bind-key l last-window
bind-key w choose-window
bind-key Escape copy-mode -u
bind-key Up copy-mode -u
bind-key | split-window -h
bind-key \ split-window -h
bind-key = split-window -v
bind-key - split-window -v
#bind-key < swap-window -t :-
#bind-key > swap-window -t :+
bind-key 0 select-window -t :0
bind-key 1 select-window -t :1
bind-key 2 select-window -t :2
bind-key 3 select-window -t :3
bind-key 4 select-window -t :4
bind-key 5 select-window -t :5
bind-key 6 select-window -t :6
bind-key 7 select-window -t :7
bind-key 8 select-window -t :8
bind-key 9 select-window -t :9
# pane selection with Ctrl+ArrowKeys
bind -n C-Left select-pane -L
bind -n C-Right select-pane -R
bind -n C-Up select-pane -U
bind -n C-Down select-pane -D
# pane resize with Shift+ArrowKeys
bind -n S-Left resize-pane -L
bind -n S-Right resize-pane -R
bind -n S-Up resize-pane -U
bind -n S-Down resize-pane -D
# switch tabs with Alt+Comma and Alt+Dot
bind -n M-, previous-window
bind -n M-. next-window
# loud or quiet?
set-option -g visual-activity off
set-option -g visual-bell off
set-option -g visual-silence off
set-window-option -g monitor-activity on
set-option -g bell-action none
# THEME
set -g default-terminal "screen-256color"
set -g status-position top
set -g status-left ''
set -g status-utf8 on
# Basic status bar colors
set -g status-fg colour240
set -g status-bg colour233
# Left side of status bar
set -g status-left-bg colour233
set -g status-left-fg colour243
set -g status-left-length 40
set -g status-left "#[fg=colour232,bg=colour39,bold] #S #[fg=colour233,bg=colour240] #(whoami) #[fg=colour240,bg=colour235] #I:#P "
# Right side of status bar
set -g status-right-bg colour233
set -g status-right-fg colour243
set -g status-right-length 150
set -g status-right "#[fg=colour235,bg=colour233]#[fg=colour240,bg=colour235] %H:%M:%S #[fg=colour240,bg=colour235]#[fg=colour233,bg=colour240] %d-%b-%y #[fg=colour245,bg=colour240]#[fg=colour232,bg=colour245,bold] #H "
# Window status
set -g window-status-format " #I:#W#F "
set -g window-status-current-format " #I:#W#F "
# Current window status
set -g window-status-current-bg colour39
set -g window-status-current-fg colour232
# Window with activity status
set -g window-status-activity-bg colour75 # fg and bg are flipped here due to
set -g window-status-activity-fg colour233 # a bug in tmux
# Window separator
set -g window-status-separator ""
# Window status alignment
set -g status-justify centre
# Pane border
set -g pane-border-bg default
set -g pane-border-fg colour238
# Active pane border
set -g pane-active-border-bg default
set -g pane-active-border-fg colour39
# Pane number indicator
set -g display-panes-colour colour233
set -g display-panes-active-colour colour245
# Clock mode
set -g clock-mode-colour colour39
set -g clock-mode-style 24
# Message
set -g message-bg colour39
set -g message-fg black
# Command message
set -g message-command-bg colour233
set -g message-command-fg black
# Mode
set -g mode-bg colour39
set -g mode-fg colour232

View file

@ -0,0 +1,50 @@
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\Base16-IR Black]
"Colour0"="145,143,136"
"Colour1"="181,179,170"
"Colour2"="0,0,0"
"Colour3"="36,36,34"
"Colour4"="0,0,0"
"Colour5"="217,215,204"
"Colour6"="0,0,0"
"Colour7"="108,108,102"
"Colour8"="255,108,96"
"Colour9"="233,192,98"
"Colour10"="168,255,96"
"Colour11"="36,36,34"
"Colour12"="255,255,182"
"Colour13"="72,72,68"
"Colour14"="150,203,254"
"Colour15"="145,143,136"
"Colour16"="255,115,253"
"Colour17"="217,215,204"
"Colour18"="198,197,254"
"Colour19"="177,138,61"
"Colour20"="181,179,170"
"Colour21"="253,251,238"

View file

@ -0,0 +1,44 @@
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<httpErrors>
<remove statusCode="502" subStatusCode="-1" />
<remove statusCode="501" subStatusCode="-1" />
<remove statusCode="500" subStatusCode="-1" />
<remove statusCode="412" subStatusCode="-1" />
<remove statusCode="406" subStatusCode="-1" />
<remove statusCode="405" subStatusCode="-1" />
<remove statusCode="404" subStatusCode="-1" />
<remove statusCode="403" subStatusCode="-1" />
<remove statusCode="401" subStatusCode="-1" />
<error statusCode="400" path="D:\appdata\IIS\vhosts\domain.tld\error_docs\bad_request.html" />
<error statusCode="407" path="D:\appdata\IIS\vhosts\domain.tld\error_docs\proxy_authentication_required.html" />
<error statusCode="414" path="D:\appdata\IIS\vhosts\domain.tld\error_docs\request-uri_too_long.html" />
<error statusCode="415" path="D:\appdata\IIS\vhosts\domain.tld\error_docs\unsupported_media_type.html" />
<error statusCode="503" path="D:\appdata\IIS\vhosts\domain.tld\error_docs\maintenance.html" />
<error statusCode="401" prefixLanguageFilePath="" path="D:\appdata\IIS\vhosts\domain.tld\error_docs\unauthorized.html" />
<error statusCode="403" prefixLanguageFilePath="" path="D:\appdata\IIS\vhosts\domain.tld\error_docs\forbidden.html" />
<error statusCode="404" prefixLanguageFilePath="" path="D:\appdata\IIS\vhosts\domain.tld\error_docs\not_found.html" />
<error statusCode="405" prefixLanguageFilePath="" path="D:\appdata\IIS\vhosts\domain.tld\error_docs\method_not_allowed.html" />
<error statusCode="406" prefixLanguageFilePath="" path="D:\appdata\IIS\vhosts\domain.tld\error_docs\not_acceptable.html" />
<error statusCode="412" prefixLanguageFilePath="" path="D:\appdata\IIS\vhosts\domain.tld\error_docs\precondition_failed.html" />
<error statusCode="500" prefixLanguageFilePath="" path="D:\appdata\IIS\vhosts\domain.tld\error_docs\internal_server_error.html" />
<error statusCode="501" prefixLanguageFilePath="" path="D:\appdata\IIS\vhosts\domain.tld\error_docs\not_implemented.html" />
<error statusCode="502" prefixLanguageFilePath="" path="D:\appdata\IIS\vhosts\domain.tld\error_docs\bad_gateway.html" />
</httpErrors>
<rewrite>
<rules>
<rule name="Main Rule" stopProcessing="true">
<match url=".*" />
<conditions logicalGrouping="MatchAll">
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
</conditions>
<action type="Rewrite" url="index.php" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>

116
scripts/aclset.sh Normal file
View file

@ -0,0 +1,116 @@
#!/bin/bash
# afx acl setup
### vars
watchdir="/srv/test"
domainadmin="afx"
password="CHANGEME"
###
#init
controlfile="control.txt"
passfile="password.txt"
aclset="";
acldel="";
old_IFS=$IFS # save the field separator
IFS=$'\n' # new field separator, the end of line
exec > /tmp/afxacl.log 2>&1
mlocate --database=/tmp/afxacl.db $controlfile > /tmp/afxacl.set.1.tmp
mlocate --database=/tmp/afxacl.db $passfile > /tmp/afxacl.del.1.tmp
updatedb --database-root=$watchdir --output /tmp/afxacl.db -l 0
mlocate --database=/tmp/afxacl.db $controlfile > /tmp/afxacl.set.2.tmp
mlocate --database=/tmp/afxacl.db $passfile > /tmp/afxacl.del.2.tmp
setlist=`diff /tmp/afxacl.set.1.tmp /tmp/afxacl.set.2.tmp`
aclset=`echo "$setlist" | grep '>'`
dellist=`diff /tmp/afxacl.del.1.tmp /tmp/afxacl.del.2.tmp`
acldel=`echo "$dellist" | grep '>'`
#del
if [ -n "$acldel" ]
then
while read dline;
do
curcontroldel=`echo "$dline" | cut -c 3-`;
echo "unlocking $curcontroldel"
ccut=`expr ${#passfile} + 1`
cdir=`echo "$curcontroldel" | rev | cut -c $ccut- | rev`
echo ""
if [ -d "$cdir" ];
then
if grep -q $password "$curcontroldel";
then
echo "password accepted"
chattr -i "$cdir/$controlfile"
rm "$cdir/$controlfile"
setfacl -R --remove-all "$cdir"
chmod 770 "$cdir"
echo ""
echo "current permissions:"
getfacl "$cdir"
rm "$curcontroldel"
else
echo "invalid password!"
rm "$curcontroldel"
fi
else
echo "warning: whole dir was deleted"
fi
echo ""
echo ""
done < <(echo "$acldel")
fi
# set
if [ -n "$aclset" ]
then
while read cline;
do
curcontrolset=`echo "$cline" | cut -c 3-`;
echo "setting up acl from $curcontrolset"
ccuser=`stat -c "%U" "$curcontrolset"`
if [ "$ccuser" != "$domainadmin" ];
then
echo "$ccuser is not a valid admin!"
rm $curcontrolset
continue;
fi
echo ""
ccut=`expr ${#controlfile} + 1`
cdir=`echo "$curcontrolset" | rev | cut -c $ccut- | rev`
chmod 700 "$cdir"
for uline in $(cat "$curcontrolset")
do
echo "add user $uline ..."
setfacl -R -n -m u:$uline:rwx "$cdir"
done
echo "add admin $domainadmin ..."
setfacl -R -n -m u:$domainadmin:rwx "$cdir"
setfacl -R -n -m m::rwx "$cdir"
chattr +i "$curcontrolset"
echo ""
echo "current permissions:"
getfacl "$cdir"
echo ""
echo ""
done < <(echo "$aclset")
fi
IFS=$old_IFS # restore default field separator
if [ -s /tmp/afxacl.log ];
then
mutt -s "setacl.sh notice" mailbox@server.com < /tmp/afxacl.log
fi
#cleantmp
rm /tmp/afxacl.set*
rm /tmp/afxacl.del*

33
scripts/arduino.py Normal file
View file

@ -0,0 +1,33 @@
#!/usr/bin/env python
""" arduino reader by afx """
import time, serial
from sys import argv
def query_arduino():
global serial
serial = serial.Serial('/dev/ttyACM0', 9600)
serial.write('1')
query = serial.readline().strip('\r\n').split()
fo = open('/etc/scripts/.arduino.db', 'wb')
fo.write(','.join(query))
fo.close()
def print_arduino(pmode):
fr = open('/etc/scripts/.arduino.db', 'r+')
rquery = fr.read(100);
print(rquery.split(',')[pmode])
fr.close()
if __name__ == "__main__":
mode = argv
if mode[1] == 'temp':
print_arduino(0)
elif mode[1] == 'humid':
print_arduino(1)
elif mode[1] == 'query':
query_arduino()
else:
print('Usage: script.py [temp] [humid]')

76
scripts/blackhole.py Normal file
View file

@ -0,0 +1,76 @@
#!/usr/bin/python3
# simple ip blackhole list :)
# afx Nov 2016
#
# requires Pygtail
# should be installed to iptables filtered machine with DROP and LOG policy
# the idea is that any traffic coming to this serviceless machine can be assumed
# as bad and then listed for further processing
from pygtail import Pygtail
import sys
import signal
import re
import time
import json
kernlog = '/var/log/kern.log'
dbfile = '/var/www/html/blacklist.txt'
#add whitelisted ips here:
whitelist = [ '1.2.3.4',
'5.6.7.8' ]
######
def signal_handler(signal, frame):
print('You\'ve pressed Ctrl+C. Listing stats and exiting...')
print('')
print(json.dumps(stats))
sys.exit(0)
signal.signal(signal.SIGINT, signal_handler)
print('.o.oOo.o. blackhole.py by afx .o.oOo.o.')
print('^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^')
print('Whitelist: {}'.format(whitelist))
blacklist = []
stats = {}
try:
blackfile = open(dbfile, 'r')
for item in blackfile:
blacklist.append(item.strip())
blackfile.close()
print('Blacklist: {}'.format(blacklist))
except Exception as e:
print(e)
print('Blacklist empty.')
print('')
while True:
time.sleep(1)
for line in Pygtail(kernlog):
query = re.findall( r'SRC=[0-9]+(?:\.[0-9]+){3}', line )
newip = query[0][4:]
if newip in whitelist:
print('{} whitelisted'.format(newip))
continue
elif newip in blacklist:
try:
oldcounter = stats[newip]
except:
oldcounter = 0
counter = oldcounter + 1
stats.update({ newip: counter })
print('{} -> {}'.format(newip, str(stats[newip])))
else:
print('{} blackholed'.format(newip))
blacklist.append(newip)
blackfile = open(dbfile, 'w')
for item in blacklist:
blackfile.write("%s\n" % item)
blackfile.close()
#EOF

29
scripts/clean-maildir.sh Normal file
View file

@ -0,0 +1,29 @@
#!/bin/sh
# Time to wait before removing mails from the Junk folder (Default: 7 days) Set 0 to turn off.
junk_max_hours=$((24*2))
# Time to wait before removing mails from the Trash folder (Default: 30 days) Set 0 to turn off.
trash_max_hours=$((24*10))
for domain in /var/vmail/*
do
if [ -d "$domain" ]
then
for user in $domain/*
do
if [ "$junk_max_hours" -gt "0" ]
then
if [ -d "$user/Maildir/.Junk" ]
then
tmpreaper -m $junk_max_hours $user/Maildir/.Junk/{cur,new}
fi
fi
if [ "$trash_max_hours" -gt "0" ]
then
if [ -d "$user/Maildir/.Trash" ]
then
tmpreaper -m $trash_max_hours $user/Maildir/.Trash/{cur,new}
fi
fi
done
fi
done

49
scripts/cronic.sh Normal file
View file

@ -0,0 +1,49 @@
#!/bin/bash
# Cronic v2 - cron job report wrapper
# Copyright 2007 Chuck Houpt. No rights reserved, whatsoever.
# Public Domain CC0: http://creativecommons.org/publicdomain/zero/1.0/
set -eu
OUT=/tmp/cronic.out.$$
ERR=/tmp/cronic.err.$$
TRACE=/tmp/cronic.trace.$$
set +e
"$@" >$OUT 2>$TRACE
RESULT=$?
set -e
PATTERN="^${PS4:0:1}\\+${PS4:1}"
if grep -aq "$PATTERN" $TRACE
then
! grep -av "$PATTERN" $TRACE > $ERR
else
ERR=$TRACE
fi
if [ $RESULT -ne 0 -o -s "$ERR" ]
then
echo "Cronic detected failure or error output for the command:"
echo "$@"
echo
echo "RESULT CODE: $RESULT"
echo
echo "ERROR OUTPUT:"
cat "$ERR"
echo
echo "STANDARD OUTPUT:"
cat "$OUT"
if [ $TRACE != $ERR ]
then
echo
echo "TRACE-ERROR OUTPUT:"
cat "$TRACE"
fi
fi
rm -f "$OUT"
rm -f "$ERR"
rm -f "$TRACE"

333
scripts/iptables-vlan.sh Normal file
View file

@ -0,0 +1,333 @@
#!/bin/bash
SYSCTL="/sbin/sysctl -w"
IPT="/sbin/iptables"
IPTS="/sbin/iptables-save"
IPTR="/sbin/iptables-restore"
# Internet Interface
INET_IFACE="eth1"
INET_IP="1.2.3.4"
INET_ADMIN="2.3.4.5"
VPN_IFACE="tun+"
VPN_IP="10.8.0.1"
VPN_NET="10.8.0.0/8"
VPN_BCAST="10.255.255.255"
# Local Interface Information
LOCAL_IFACE="eth0"
LOCAL_IP="192.168.5.1"
LOCAL_NET="192.168.5.0/24"
LOCAL_BCAST="192.168.5.255"
EVOIP_IFACE="vlan1234"
EVOIP_IP="10.20.5.50"
EVOIP_NET="10.20.5.48/29"
EVOIP_BCAST="10.20.5.55"
VIDEO_IFACE="vlan1015"
VIDEO_IP="192.168.15.1"
VIDEO_NET="192.168.15.0/24"
VIDEO_BCAST="192.168.15.255"
VOIP_IFACE="vlan1016"
VOIP_IP="192.168.16.1"
VOIP_NET="192.168.16.0/24"
VOIP_BCAST="192.168.16.255"
WIFI_IFACE="vlan1017"
WIFI_IP="192.168.17.1"
WIFI_NET="192.168.17.0/24"
WIFI_BCAST="192.168.17.255"
# Localhost Interface
LO_IFACE="lo"
LO_IP="127.0.0.1"
# Save and Restore arguments handled here
if [ "$1" = "save" ]
then
echo -n "Saving firewall to /etc/sysconfig/iptables ... "
$IPTS > /etc/scripts/iptables
echo "done"
exit 0
elif [ "$1" = "restore" ]
then
echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
$IPTR < /etc/scripts/iptables
echo "done"
exit 0
fi
echo "Loading kernel modules ..."
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_mark
#/sbin/modprobe ipt_tcpmss
/sbin/modprobe multiport
/sbin/modprobe ipt_state
#/sbin/modprobe ipt_unclean
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/ip_forward
else
$SYSCTL net.ipv4.ip_forward="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
else
$SYSCTL net.ipv4.tcp_syncookies="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
else
$SYSCTL net.ipv4.conf.all.rp_filter="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
else
$SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
else
$SYSCTL net.ipv4.conf.all.accept_source_route="0"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
else
$SYSCTL net.ipv4.conf.all.secure_redirects="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
else
$SYSCTL net.ipv4.conf.all.log_martians="1"
fi
###############################################################################
echo "Flushing Tables ..."
# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
if [ "$1" = "stop" ]
then
echo "Firewall completely flushed! Now running with no firewall."
exit 0
fi
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
###############################################################################
#$IPT -N bad_packets
#$IPT -N bad_tcp_packets
$IPT -N icmp_packets
$IPT -N udp_inbound
$IPT -N udp_outbound
$IPT -N tcp_inbound
$IPT -N tcp_outbound
#$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j LOG --log-prefix "fp=bad_packets:2 a=DROP "
$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j DROP
#$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG --log-prefix "fp=bad_packets:1 a=DROP "
$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
$IPT -A bad_packets -p tcp -j bad_tcp_packets
$IPT -A bad_packets -p ALL -j RETURN
$IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN
#$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "fp=bad_tcp_packets:1 a=DROP "
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
#$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "fp=bad_tcp_packets:2 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
#$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "fp=bad_tcp_packets:3 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
#$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix "fp=bad_tcp_packets:4 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
#$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "fp=bad_tcp_packets:5 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
#$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "fp=bad_tcp_packets:6 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
#$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "fp=bad_tcp_packets:7 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A bad_tcp_packets -p tcp -j RETURN
#$IPT -A icmp_packets --fragment -p ICMP -j LOG --log-prefix "fp=icmp_packets:1 a=DROP "
$IPT -A icmp_packets --fragment -p ICMP -j DROP
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
$IPT -A icmp_packets -p ICMP -j RETURN
#$IPT -A icmp_packets -p ICMP -j ACCEPT
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --source-port 67 --destination-port 68 -j ACCEPT
$IPT -A udp_inbound -m state --state NEW -p UDP -s 0/0 --destination-port 1194 -j ACCEPT #vpn
$IPT -A udp_inbound -p UDP -j RETURN
$IPT -A tcp_inbound -p TCP -s $INET_ADMIN --destination-port 2222 -j ACCEPT #ssh
$IPT -A tcp_inbound -p TCP -j RETURN
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
###############################################################################
echo "Process INPUT chain ..."
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
#$IPT -A INPUT -p ALL -j bad_packets
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT
$IPT -A INPUT -p ALL -i $WIFI_IFACE -s $WIFI_NET -j ACCEPT
$IPT -A INPUT -p ALL -i $WIFI_IFACE -d $WIFI_BCAST -j ACCEPT
$IPT -A INPUT -p ALL -i $VIDEO_IFACE -s $VIDEO_NET -j ACCEPT
$IPT -A INPUT -p ALL -i $VIDEO_IFACE -d $VIDEO_BCAST -j ACCEPT
$IPT -A INPUT -p ALL -i $VOIP_IFACE -s $VOIP_NET -j ACCEPT
$IPT -A INPUT -p ALL -i $VOIP_IFACE -d $VOIP_BCAST -j ACCEPT
$IPT -A INPUT -p ALL -i $VPN_IFACE -j ACCEPT
$IPT -A INPUT -p ALL -i $EVOIP_IFACE -j ACCEPT
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
#$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
#$IPT -A INPUT -j LOG --log-prefix "fp=INPUT:99 a=DROP "
###############################################################################
echo "Process FORWARD chain ..."
#$IPT -A FORWARD -p ALL -j bad_packets
$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound
$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT
#forward VIDEO vlan1015 to internet but not to the local network!
###$IPT -A FORWARD -p ALL -i $VIDEO_IFACE -d $LOCAL_NET -j LOG --log-prefix "fp=FORWARD:99 a=DROP "
###$IPT -A FORWARD -p ALL -i $VIDEO_IFACE -d $LOCAL_NET -j DROP
$IPT -A FORWARD -p ALL -i $VIDEO_IFACE -d $LOCAL_NET -j ACCEPT
$IPT -A FORWARD -p ALL -i $VIDEO_IFACE -s $VIDEO_NET -j ACCEPT
#forward VOIP vlan1016 to internet but not to the local network!
$IPT -A FORWARD -p ALL -i $VOIP_IFACE -d $LOCAL_NET -j LOG --log-prefix "fp=FORWARD:99 a=DROP "
$IPT -A FORWARD -p ALL -i $VOIP_IFACE -d $LOCAL_NET -j DROP
$IPT -A FORWARD -p ALL -i $VOIP_IFACE -s $VOIP_NET -j ACCEPT
#forward WIFI vlan1017 to internet but not to the local network!
$IPT -A FORWARD -p ALL -i $WIFI_IFACE -d $LOCAL_NET -j LOG --log-prefix "fp=FORWARD:99 a=DROP "
$IPT -A FORWARD -p ALL -i $WIFI_IFACE -d $LOCAL_NET -j DROP
#wifi to DVR allowed:
$IPT -A FORWARD -p ALL -i $WIFI_IFACE -d 192.168.15.2 -j ACCEPT
$IPT -A FORWARD -p ALL -i $WIFI_IFACE -d 192.168.15.1 -j ACCEPT
$IPT -A FORWARD -p ALL -i $WIFI_IFACE -d $VIDEO_NET -j DROP
$IPT -A FORWARD -p ALL -i $WIFI_IFACE -d $VOIP_NET -j LOG --log-prefix "fp=FORWARD:99 a=DROP "
$IPT -A FORWARD -p ALL -i $WIFI_IFACE -d $VOIP_NET -j DROP
$IPT -A FORWARD -p ALL -i $WIFI_IFACE -s $WIFI_NET -j ACCEPT
#forward VPN
$IPT -A FORWARD -p ALL -i $VPN_IFACE -s $VPN_NET -j ACCEPT
#$IPT -A FORWARD -i $VPN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $EVOIP_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -j LOG --log-prefix "fp=FORWARD:99 a=DROP "
###############################################################################
echo "Process OUTPUT chain ..."
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -s $VIDEO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $VIDEO_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -s $WIFI_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $WIFI_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -s $VOIP_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $VOIP_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -o $VPN_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -o $EVOIP_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
$IPT -A OUTPUT -j LOG --log-prefix "fp=OUTPUT:99 a=DROP "
###############################################################################
echo "Load rules for nat table ..."
$IPT -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
$IPT -t nat -A POSTROUTING -o $EVOIP_IFACE -j MASQUERADE
$IPT -t nat -A POSTROUTING -s $VPN_NET -o $INET_IFACE -j MASQUERADE #vpn
###
echo "Loading extra rules ..."
#VOIP
$IPT -I FORWARD -p udp -i $EVOIP_IFACE -d 192.168.16.2 --dport 5060 -j ACCEPT
$IPT -t nat -I PREROUTING -p udp -i $EVOIP_IFACE --dport 5060 -j DNAT --to 192.168.16.2:5060
$IPT -I FORWARD -p udp -i $EVOIP_IFACE -d 192.168.16.2 --dport 10000:20000 -j ACCEPT
$IPT -t nat -I PREROUTING -p udp -i $EVOIP_IFACE --dport 10000:20000 -j DNAT --to 192.168.16.2:10000-20000
#NVR
$IPT -I FORWARD -p tcp -i $INET_IFACE -s 0/0 -d 192.168.15.251 --dport 8001 -j ACCEPT
$IPT -t nat -I PREROUTING -p tcp -i $INET_IFACE --dport 8001 -j DNAT --to 192.168.15.251:8001
$IPT -t nat -I PREROUTING -p tcp -i $WIFI_IFACE -s $WIFI_NET -d $INET_IP --dport 8001 -j DNAT --to 192.168.15.251:8001
$IPT -t nat -I POSTROUTING -p tcp -o $WIFI_IFACE -s $VIDEO_NET -d 192.168.15.251 --dport 8001 -j SNAT --to $INET_IP
#substream
$IPT -I FORWARD -p tcp -i $INET_IFACE -s 0/0 -d 192.168.15.251 --dport 554 -j ACCEPT
$IPT -t nat -I PREROUTING -p tcp -i $INET_IFACE --dport 554 -j DNAT --to 192.168.15.251:554
$IPT -t nat -I PREROUTING -p tcp -i $WIFI_IFACE -s $WIFI_NET -d $INET_IP --dport 554 -j DNAT --to 192.168.15.250:554
$IPT -t nat -I POSTROUTING -p tcp -o $WIFI_IFACE -s $VIDEO_NET -d 192.168.15.251 --dport 554 -j SNAT --to $INET_IP

267
scripts/iptables.sh Normal file
View file

@ -0,0 +1,267 @@
#!/bin/bash
### iptables.sh for ipv4
SYSCTL="/sbin/sysctl -w"
IPT="/sbin/iptables"
IPTS="/sbin/iptables-save"
IPTR="/sbin/iptables-restore"
# Internet Interface
INET_IFACE="pub"
#INET_IFACE2="pub2"
INET_ADMIN="1.2.3.4"
INET_ORB="2.3.4.5"
# Local Interface Information
LOCAL_IFACE="dmz"
LOCAL_IP="192.168.0.5"
LOCAL_NET="192.168.0.0/24"
LOCAL_BCAST="192.168.0.255"
# Localhost Interface
LO_IFACE="lo"
LO_IP="127.0.0.1"
# Save and Restore arguments handled here
if [ "$1" = "save" ]
then
echo -n "Saving firewall to /etc/sysconfig/iptables ... "
$IPTS > /etc/scripts/iptables
echo "done"
exit 0
elif [ "$1" = "restore" ]
then
echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
$IPTR < /etc/scripts/iptables
echo "done"
exit 0
fi
echo "Loading kernel modules ..."
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
# /sbin/modprobe iptable_filter
# /sbin/modprobe iptable_mangle
# /sbin/modprobe iptable_nat
# /sbin/modprobe ipt_LOG
# /sbin/modprobe ipt_limit
# /sbin/modprobe ipt_MASQUERADE
# /sbin/modprobe ipt_owner
# /sbin/modprobe ipt_REJECT
# /sbin/modprobe ipt_mark
# /sbin/modprobe ipt_tcpmss
# /sbin/modprobe multiport
# /sbin/modprobe ipt_state
# /sbin/modprobe ipt_unclean
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/ip_forward
else
$SYSCTL net.ipv4.ip_forward="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
else
$SYSCTL net.ipv4.tcp_syncookies="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
else
$SYSCTL net.ipv4.conf.all.rp_filter="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
else
$SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
else
$SYSCTL net.ipv4.conf.all.accept_source_route="0"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
else
$SYSCTL net.ipv4.conf.all.secure_redirects="1"
fi
#if [ "$SYSCTL" = "" ]
#then
# echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
#else
# $SYSCTL net.ipv4.conf.all.log_martians="1"
#fi
###############################################################################
echo "Flushing Tables ..."
# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
if [ "$1" = "stop" ]
then
echo "Firewall completely flushed! Now running with no firewall."
exit 0
fi
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
###############################################################################
$IPT -N bad_packets
$IPT -N bad_tcp_packets
$IPT -N icmp_packets
$IPT -N udp_inbound
$IPT -N udp_outbound
$IPT -N tcp_inbound
$IPT -N tcp_outbound
$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j LOG --log-prefix "fp=bad_packets:2 a=DROP "
$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j DROP
$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG --log-prefix "fp=bad_packets:1 a=DROP "
$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
$IPT -A bad_packets -p tcp -j bad_tcp_packets
$IPT -A bad_packets -p ALL -j RETURN
$IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "fp=bad_tcp_packets:1 a=DROP "
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "fp=bad_tcp_packets:2 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "fp=bad_tcp_packets:3 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix "fp=bad_tcp_packets:4 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "fp=bad_tcp_packets:5 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "fp=bad_tcp_packets:6 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "fp=bad_tcp_packets:7 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A bad_tcp_packets -p tcp -j RETURN
### ICMP
#$IPT -A icmp_packets --fragment -p ICMP -j LOG \
# --log-prefix "fp=icmp_packets:1 a=DROP "
#$IPT -A icmp_packets --fragment -p ICMP -j DROP
#$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP
#$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#$IPT -A icmp_packets -p ICMP -j RETURN
$IPT -A icmp_packets -p ICMP -j ACCEPT
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --source-port 67 --destination-port 68 -j ACCEPT
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 53 -j ACCEPT
$IPT -A udp_inbound -p UDP -j RETURN
$IPT -A tcp_inbound -p TCP -s $INET_ORB --destination-port 10000 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s $INET_ORB --destination-port 10001 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s $INET_ADMIN --destination-port 22 -j ACCEPT
$IPT -A tcp_inbound -p TCP -j RETURN
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
###############################################################################
echo "Process INPUT chain ..."
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
$IPT -A INPUT -p ALL -j bad_packets
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
#$IPT -A INPUT -p TCP -i $INET_IFACE2 -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
$IPT -A INPUT -j LOG --log-prefix "fp=INPUT:99 a=DROP "
###############################################################################
echo "Process FORWARD chain ..."
$IPT -A FORWARD -p ALL -j bad_packets
$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound
$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT
$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPT -A FORWARD -j LOG --log-prefix "fp=FORWARD:99 a=DROP "
###############################################################################
echo "Process OUTPUT chain ..."
#$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
#$IPT -A OUTPUT -p ALL -o $INET_IFACE2 -j ACCEPT
$IPT -A OUTPUT -j LOG --log-prefix "fp=OUTPUT:99 a=DROP "
###############################################################################
echo "Load rules for nat table ..."
### MASQUERADE
$IPT -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
###
###
###
echo "Loading additiona rules ..."
### VPN
#$IPT -I INPUT -i tun+ -j ACCEPT
#$IPT -I OUTPUT -o tun+ -j ACCEPT

127
scripts/mpd-playlists.sh Normal file
View file

@ -0,0 +1,127 @@
#!/bin/bash
#
# kozunak.sh - kozunak.org radio sheduler by afx
# Usage: kozunak.sh <subdir>
#SETTINGS
radiodir="/srv/sftp/radio" #location of the music parent dir
mpdconf="/usr/local/etc/musicpd.conf" #location of mpd.conf
alwaysrestart=0 #debug purpouses
################################################
#BOOT
prefix="kozunak.sh: [`date "+%H:%M"`]"
if [ ! -d $radiodir/$1 ] || [ "$1" == "" ] ; then
echo "$prefix no such playlist $1"
exit
fi
if [ ! -x $mpdconf ] ; then
echo "cant find musicpd.conf!"
exit
fi
hour=`date +%H`
if [ "$hour" = "06" ] || [ $alwaysrestart == 1 ]; then
echo "$prefix server restart"
musicpd --kill
sleep 2
rm -f /var/run/mpd/database
#mpd --create-db $mpdconf
musicpd $mpdconf
fi
#FIX
IFS='
'
for i in 1 2
do
#SCAN FILES
find "$radiodir/$1/" -depth 1 -name "*.flac" | while read flac ; do
tmp1flac_a=`metaflac --show-tag=Artist "$flac"`
tmp2flac_a=${tmp1flac_a:7}
tmp1flac_n=`metaflac --show-tag=Title "$flac"`
tmp2flac_n=${tmp1flac_n:6}
baseflac=$(basename "$flac")
dirflac=$(dirname "$flac")
newflac=$(echo "$tmp2flac_a - $tmp2flac_n.flac" | tr ' ' '_' | tr '?' '_' | tr '/' '_' | tr -d '#' | tr -d '\n')
if [ "$tmp2flac_a" == "" ] || [ "$tmp2flac_n" == "" ] ; then
if [ "${baseflac:0:2}" == "__" ] ; then
newflac=$(echo "$baseflac" | tr ' ' '_' | tr '?' '_' | tr '/' '_')
else
newflac=$(echo "__$baseflac" | tr ' ' '_' | tr '?' '_' | tr '/' '_')
fi
fi
if [ "$baseflac" != "$newflac" ] ; then
echo "$prefix found $baseflac -> $newflac"
mv "$flac" "$dirflac/$newflac"
fi
done
find "$radiodir/$1/" -depth 1 -name "*.mp3" | while read mp3 ; do
tmpmp3_a=`id3info "$mp3" | grep -i '^=== TPE1 ' | sed 's/^=== TPE1.*: //'`
if [ "$tmpmp3_a" == "" ] ; then
tmpmp3_a=`id3v2 -l "$mp3" | grep -i '^TP1 ' | sed 's/^TP1.*: //'`
fi
tmpmp3_n=`id3info "$mp3" | grep -i '^=== TIT2 ' | sed 's/^=== TIT2.*: //'`
if [ "$tmpmp3_n" == "" ] ; then
tmpmp3_n=`id3v2 -l "$mp3" | grep -i '^TT2 ' | sed 's/^TT2.*: //'`
fi
basemp3=$(basename "$mp3")
dirmp3=$(dirname "$mp3")
newmp3=$(echo "$tmpmp3_a - $tmpmp3_n.mp3" | tr ' ' '_' | tr '?' '_' | tr '/' '_' | tr -d '#' | tr -d '\n')
if [ "$tmpmp3_a" == "" ] || [ "$tmpmp3_n" == "" ] ; then
if [ "${basemp3:0:2}" == "__" ] ; then
newmp3=$(echo "$basemp3" | tr ' ' '_' | tr '?' '_' | tr '/' '_')
else
newmp3=$(echo "__$basemp3" | tr ' ' '_' | tr '?' '_' | tr '/' '_')
fi
fi
if [ "$basemp3" != "$newmp3" ] ; then
echo "$prefix found $basemp3 -> $newmp3"
mv "$mp3" "$dirmp3/$newmp3"
fi
done
done
unset IFS
#INIT MPD
musicdir=`awk '/^music_directory/ {print $2}' $mpdconf | cut -d '"' -f2`
crnt=`mpc -f %file% | head -n 1`
find $musicdir/* -not -name "$crnt" -exec rm {} +
mpc --no-status crop
#IMPORT IN MPD
count=0
find "$radiodir/$1/" -depth 1 -name "*" > /tmp/kozunak.temp
while read fle ; do
bsfile=$(basename "$fle")
if [ "$bsfile" = "$crnt" ] ; then
continue
fi
ln -s "$fle" "$musicdir/$bsfile"
chown nobody:ftpsrv "$musicdir/$bsfile"
chmod g+w "$musicdir/$bsfile"
let "count+=1"
done < /tmp/kozunak.temp
mpc --no-status --wait update
sleep 20
mpc ls | mpc add
mpc --no-status random on
mpc --no-status repeat on
if [ "$hour" = "06" ] || [ $alwaysrestart == 1 ]; then
mpc --no-status play
else
mpc --no-status next
mpc --no-status next
sleep 2
mpc --no-status del 1
rm "$musicdir/$crnt"
fi
#CHANGE BACKGROUND
#rnd=`/root/scripts/devrandom 1 4`
#ln -fs /usr/local/www/nginx/purple$rnd.jpg /usr/local/www/nginx/purple.jpg

25
scripts/mssqldump.bat Normal file
View file

@ -0,0 +1,25 @@
@ECHO ON
SETLOCAL
del c:\sqlbackup\*.bak
REM Get date in format YYYY-MM-DD (assumes the locale is the United States)
FOR /F "tokens=1,2,3,4 delims=/ " %%A IN ('Date /T') DO SET NowDate=%%D-%%B-%%C
REM Build a list of databases to backup
SET DBList=%SystemDrive%SQLDBList.txt