Correction & update scripts

default_configuration/dovecot/dovecot.conf.example

@@ -0,0 +1,101 @@
+## Dovecot configuration file
+
+# If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration
+
+# "doveconf -n" command gives a clean output of the changed settings. Use it
+# instead of copy&pasting files when posting to the Dovecot mailing list.
+
+# '#' character and everything after it is treated as comments. Extra spaces
+# and tabs are ignored. If you want to use either of these explicitly, put the
+# value inside quotes, eg.: key = "# char and trailing whitespace  "
+
+# Most (but not all) settings can be overridden by different protocols and/or
+# source/destination IPs by placing the settings inside sections, for example:
+# protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { }
+
+# Default values are shown for each setting, it's not required to uncomment
+# those. These are exceptions to this though: No sections (e.g. namespace {})
+# or plugin settings are added by default, they're listed only as examples.
+# Paths are also just examples with the real defaults being based on configure
+# options. The paths listed here are for configure --prefix=/usr
+# --sysconfdir=/etc --localstatedir=/var
+
+# Protocols we want to be serving.
+protocols = imap 
+
+# A comma separated list of IPs or hosts where to listen in for connections. 
+# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
+# If you want to specify non-default ports or anything more complex,
+# edit conf.d/master.conf.
+listen = *, ::
+
+# Base directory where to store runtime data.
+#base_dir = /var/dovecot/
+
+# Name of this instance. In multi-instance setup doveadm and other commands
+# can use -i <instance_name> to select which instance is used (an alternative
+# to -c <config_path>). The instance name is also added to Dovecot processes
+# in ps output.
+#instance_name = dovecot
+
+# Greeting message for clients.
+#login_greeting = Dovecot ready.
+
+# Space separated list of trusted network ranges. Connections from these
+# IPs are allowed to override their IP addresses and ports (for logging and
+# for authentication checks). disable_plaintext_auth is also ignored for
+# these networks. Typically you'd specify your IMAP proxy servers here.
+#login_trusted_networks =
+
+# Space separated list of login access check sockets (e.g. tcpwrap)
+#login_access_sockets = 
+
+# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do
+# proxying. This isn't necessary normally, but may be useful if the destination
+# IP is e.g. a load balancer's IP.
+#auth_proxy_self =
+
+# Show more verbose process titles (in ps). Currently shows user name and
+# IP address. Useful for seeing who are actually using the IMAP processes
+# (eg. shared mailboxes or if same uid is used for multiple accounts).
+#verbose_proctitle = no
+
+# Should all processes be killed when Dovecot master process shuts down.
+# Setting this to "no" means that Dovecot can be upgraded without
+# forcing existing client connections to close (although that could also be
+# a problem if the upgrade is e.g. because of a security fix).
+#shutdown_clients = yes
+
+# If non-zero, run mail commands via this many connections to doveadm server,
+# instead of running them directly in the same process.
+#doveadm_worker_count = 0
+# UNIX socket or host:port used for connecting to doveadm server
+#doveadm_socket_path = doveadm-server
+
+# Space separated list of environment variables that are preserved on Dovecot
+# startup and passed down to all of its child processes. You can also give
+# key=value pairs to always set specific settings.
+#import_environment = TZ
+
+##
+## Dictionary server settings
+##
+
+# Dictionary can be used to store key=value lists. This is used by several
+# plugins. The dictionary can be accessed either directly or though a
+# dictionary server. The following dict block maps dictionary names to URIs
+# when the server is used. These can then be referenced using URIs in format
+# "proxy::<name>".
+
+dict {
+  #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
+}
+
+# Most of the actual configuration gets included below. The filenames are
+# first sorted by their ASCII value and parsed in that order. The 00-prefixes
+# in filenames are intended to make it easier to understand the ordering.
+#!include conf.d/*.conf
+
+# A config file can also tried to be included without giving an error if
+# it's not found:
+!include_try local.conf

default_configuration/dovecot/local.conf.example

@@ -0,0 +1,89 @@
+listen = *
+protocols = imap
+first_valid_uid = 1000
+first_valid_gid = 1000
+mail_location = maildir:/var/vmail/%d/%n
+mail_plugin_dir = /usr/local/lib/dovecot
+disable_plaintext_auth = yes
+
+managesieve_notify_capability = mailto
+managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex  imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve
+
+mbox_write_locks = fcntl
+mmap_disable = yes
+namespace inbox {
+  inbox = yes
+  location =
+  mailbox Archive {
+  auto = subscribe
+  special_use = \Archive
+  }
+  mailbox Drafts {
+  auto = subscribe
+  special_use = \Drafts
+  }
+  mailbox Junk {
+  auto = subscribe
+  special_use = \Junk
+  }
+  mailbox Sent {
+  auto = subscribe
+  special_use = \Sent
+  }
+  mailbox Trash {
+  auto = subscribe
+  special_use = \Trash
+  }
+  prefix =
+}
+
+service auth {
+    user = $default_internal_user
+    group = _maildaemons
+}
+
+passdb {
+  args = scheme=blf-crypt /etc/mail/passwd
+  driver = passwd-file
+}
+
+plugin {
+  imapsieve_mailbox1_before = file:/usr/local/lib/dovecot/sieve/report-spam.sieve
+  imapsieve_mailbox1_causes = COPY
+  imapsieve_mailbox1_name = Junk
+  imapsieve_mailbox2_before = file:/usr/local/lib/dovecot/sieve/report-ham.sieve
+  imapsieve_mailbox2_causes = COPY
+  imapsieve_mailbox2_from = Junk
+  imapsieve_mailbox2_name = *
+  sieve = file:~/sieve;active=~/.dovecot.sieve
+  sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
+  sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve
+  sieve_plugins = sieve_imapsieve sieve_extprograms
+}
+
+
+protocols = imap sieve
+service imap-login {
+  inet_listener imap {
+  port = 143
+  }
+}
+
+ssl = required
+
+ssl_min_protocol = TLSv1.2
+ssl_cipher_list = EECDH+AESGCM
+ssl_prefer_server_ciphers = yes
+#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
+
+ssl_cert = </etc/ssl/kitoy.me.crt
+ssl_key = </etc/ssl/private/kitoy.me.key
+
+userdb {
+    driver = static
+    args = uid=vmail gid=vmail home=/var/vmail/%d/%n/ 
+}
+
+protocol imap {
+  mail_plugins = " imap_sieve"
+}

default_configuration/nginx/nginx.conf.example

@@ -0,0 +1,52 @@
+
+user www;
+worker_processes auto;
+pid /var/www/run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+        worker_connections 768;
+        # multi_accept on;
+}
+
+http {
+
+        ##
+        # Basic Settings
+        ##
+
+        sendfile on;
+        tcp_nopush on;
+        tcp_nodelay on;
+        keepalive_timeout 65;
+        types_hash_max_size 2048;
+        # server_tokens off;
+
+        include /etc/nginx/mime.types;
+        default_type application/octet-stream;
+
+        ##
+        # SSL Settings
+        ##
+
+        ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE
+        ssl_prefer_server_ciphers on;
+
+        ##
+        # Logging Settings
+        ##
+
+        access_log /var/www/logs/nginx/access.log;
+        error_log /var/www/logs/nginx/error.log;
+
+        ##
+        # Gzip Settings
+        ##
+
+        gzip on;
+         ##
+        # Virtual Host Configs
+        ##
+
+        include /etc/nginx/sites-enabled/*;
+}

default_configuration/nginx/nginx.conf.example~

@@ -0,0 +1,52 @@
+
+user www;
+worker_processes auto;
+pid /var/www/run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+        worker_connections 768;
+        # multi_accept on;
+}
+
+http {
+
+        ##
+        # Basic Settings
+        ##
+
+        sendfile on;
+        tcp_nopush on;
+        tcp_nodelay on;
+        keepalive_timeout 65;
+        types_hash_max_size 2048;
+        # server_tokens off;
+
+        include /etc/nginx/mime.types;
+        default_type application/octet-stream;
+
+        ##
+        # SSL Settings
+        ##
+
+        ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE
+        ssl_prefer_server_ciphers on;
+
+        ##
+        # Logging Settings
+        ##
+
+        access_log /var/www/logsnginx/access.log;
+        error_log /var/www/logs/nginx/error.log;
+
+        ##
+        # Gzip Settings
+        ##
+
+        gzip on;
+         ##
+        # Virtual Host Configs
+        ##
+
+        include /etc/nginx/sites-enabled/*;
+}

default_configuration/nginx/site-available/example

@@ -0,0 +1,39 @@
+server {
+        listen 80;
+        server_name __DOMAIN__;
+
+        #Ajout pour les certificats letsencrypt
+        include snippets/acme-challenge.conf;
+
+        return 301 https://$http_host$request_uri;
+
+        root /html/$DOMAIN;
+
+}
+
+server {
+    listen 443 ssl http2;
+    server_name __DOMAIN__;
+
+
+    ssl_certificate         /etc/ssl/__DOMAIN__.crt;
+    ssl_certificate_key     /etc/ssl/private/__DOMAIN__.key;
+
+   #Ajout d'une configuration ssl securise
+   include snippets/secure-ssl.conf;
+
+    # Speeds things up a little bit when resuming a session
+    # ssl_session_timeout 5m;
+    # ssl_session_cache shared:SSL:5m;
+
+        # Ajout pour le certificat letsencrypt
+        include snippets/acme-challenge.conf;
+
+        # Ajout pour securiser les headers
+        include snippets/secure-headers.conf;
+}
+
+    # Path to the root of your installation
+   root /html/$DOMAIN;
+
+}

default_configuration/nginx/site-available/example~

@@ -0,0 +1,39 @@
+server {
+        listen 80;
+        server_name $DOMAIN;
+
+        #Ajout pour les certificats letsencrypt
+        include snippets/acme-challenge.conf;
+
+        return 301 https://$http_host$request_uri;
+
+        root /html/$DOMAIN;
+
+}
+
+server {
+    listen 443 ssl http2;
+    server_name $DOMAIN;
+
+
+    ssl_certificate         /etc/ssl/$DOMAIN.crt;
+    ssl_certificate_key     /etc/ssl/private/$DOMAIN.key;
+
+   #Ajout d'une configuration ssl securise
+   include snippets/secure-ssl.conf;
+
+    # Speeds things up a little bit when resuming a session
+    # ssl_session_timeout 5m;
+    # ssl_session_cache shared:SSL:5m;
+
+        # Ajout pour le certificat letsencrypt
+        include snippets/acme-challenge.conf;
+
+        # Ajout pour securiser les headers
+        include snippets/secure-headers.conf;
+}
+
+    # Path to the root of your installation
+   root /html/$DOMAIN;
+
+}

default_configuration/opensmtpd/smtpd.conf.example

@@ -0,0 +1,31 @@
+# See smtpd.conf(5) for more information.
+# To accept external mail, replace with: listen on all
+#
+# Les certificats
+
+pki "cert_mail" cert "/etc/ssl/__DOMAIN__.crt"
+pki "cert_mail" key "/etc/ssl/private/__DOMAIN__.key"
+
+table aliases file:/etc/mail/aliases
+table passwd file:/etc/mail/passwd
+table virtuals file:/etc/mail/virtuals
+
+filter "rspamd" proc-exec "filter-rspamd"
+filter "dkimsign" proc-exec "filter-dkimsign -d __DOMAIN__ -s dkim -k /etc/mail/dkim/__DOMAIN__-private.key" user _dkimsign group _dkimsign
+
+# Activation du check du reverse DNS
+#filter check_rdns phase connect match !rdns disconnect "550 no rDNS available"
+#filter check_fcrdns phase connect match !fcrdns disconnect "550 no FCrDNS available"
+
+listen on all tls pki "cert_mail" hostname "__DOMAIN__" filter  rspamd
+listen on all port submission tls-require pki "cert_mail" auth <passwd> filter dkimsign
+
+action "local_mail" mbox alias <aliases>
+action "domain_mail" maildir "/var/vmail/__DOMAIN__/%{dest.user:lowercase}" virtual <virtuals>
+action "outbound" relay
+
+
+match from any for domain "__DOMAIN__" action "domain_mail"
+match from local for local action "local_mail"
+
+match auth from any for any action "outbound"

default_configuration/opensmtpd/smtpd.conf.example~

@@ -0,0 +1,37 @@
+# See smtpd.conf(5) for more information.
+
+
+# To accept external mail, replace with: listen on all
+#
+
+# les Certificats
+pki "cert_mail" cert "/etc/ssl/__DOMAIN__.crt"
+pki "cert_mail" key "/etc/ssl/private/__DOMAIN__.key"
+
+table aliases file:/etc/mail/aliases
+table passwd file:/etc/mail/passwd
+table virtuals file:/etc/mail/virtuals
+
+filter "rspamd" proc-exec "filter-rspamd"
+filter "dkimsign" proc-exec "filter-dkimsign -d $DOMAIN -s dkim -k /etc/mail/dkim/__DOMAIN__-private.key" user _dkimsign group _dkimsign
+
+# Activation du check du reverse DNS
+#filter check_rdns phase connect match !rdns disconnect "550 no rDNS available"
+#filter check_fcrdns phase connect match !fcrdns disconnect "550 no FCrDNS available"
+
+# To accept external mail, replace with: listen on all
+
+
+listen on all tls pki "cert_mail" hostname "__DOMAIN__" filter  rspamd
+listen on all port submission tls-require pki "cert_mail" auth <passwd> filter dkimsign
+
+action "local_mail" mbox alias <aliases>
+action "domain_mail" maildir "/var/vmail/__DOMAIN__/%{dest.user:lowercase}" virtual <virtuals>
+action "outbound" relay
+
+
+# Uncomment the following to accept external mail for domain "example.org"
+match from any for domain "__DOMAIN__" action "domain_mail"
+match from local for local action "local_mail"
+
+match auth from any for any action "outbound"

default_configuration/opensmtpd/smtpd.conf~

@@ -0,0 +1,37 @@
+# See smtpd.conf(5) for more information.
+
+
+# To accept external mail, replace with: listen on all
+#
+
+# les Certificats
+pki "cert_mail" cert "/etc/ssl/$DOMAIN.crt"
+pki "cert_mail" key "/etc/ssl/private/$DOMAIN.key"
+
+table aliases file:/etc/mail/aliases
+table passwd file:/etc/mail/passwd
+table virtuals file:/etc/mail/virtuals
+
+filter "rspamd" proc-exec "filter-rspamd"
+filter "dkimsign" proc-exec "filter-dkimsign -d $DOMAIN -s dkim -k /etc/mail/dkim/$DOMAIN-private.key" user _dkimsign group _dkimsign
+
+# Activation du check du reverse DNS
+#filter check_rdns phase connect match !rdns disconnect "550 no rDNS available"
+#filter check_fcrdns phase connect match !fcrdns disconnect "550 no FCrDNS available"
+
+# To accept external mail, replace with: listen on all
+
+
+listen on all tls pki "cert_mail" hostname "$DOMAIN" filter  rspamd
+listen on all port submission tls-require pki "cert_mail" auth <passwd> filter dkimsign
+
+action "local_mail" mbox alias <aliases>
+action "domain_mail" maildir "/var/vmail/$DOMAIN/%{dest.user:lowercase}" virtual <virtuals>
+action "outbound" relay
+
+
+# Uncomment the following to accept external mail for domain "example.org"
+match from any for domain "$DOMAIN" action "domain_mail"
+match from local for local action "local_mail"
+
+match auth from any for any action "outbound"

default_configuration/opensmtpd/spamd.conf.example

@@ -0,0 +1,19 @@
+all:\
+        :nixspam:
+
+# Nixspam recent sources list.
+# Mirrored from http://www.heise.de/ix/nixspam
+nixspam:\
+        :black:\
+        :msg="Your address %A is in the nixspam list\n\
+        See http://www.heise.de/ix/nixspam/dnsbl_en/ for details":\
+        :method=https:\
+        :file=www.openbsd.org/spamd/nixspam.gz
+
+# An example of a list containing addresses which should not talk to spamd.
+#
+#override:\
+#       :white:\
+#       :method=file:\
+#       :file=/var/db/override.txt:
+

default_configuration/pf.conf

@@ -1,14 +1,16 @@
+
 #Filtres badhosts et sshguard
 table <pfbadhost> persist file "/etc/pf-badhost.txt"
 table <sshguard> persist
+table <whitelist> persist
 
 ## Table pour les batards de bruteforceurs
 table <bruteforce> persist
-
+table <http_abusive_hosts> persist
 
 set block-policy drop                  # bloque silencieusement
 set skip on lo                         # En local on s'en fou on surveille rien
-set limit table-entries 400000
+set limit table-entries 400000   
 set limit states 100000
 
 
@@ -30,30 +32,3 @@ block in from <sshguard>
 block log quick from <bruteforce> label "brutes"
 
 pass out on egress proto { tcp udp icmp ipv6-icmp } modulate state
-
-#déclaration des variables
-web_ports = "{ http https }"
-mail_ports = "{ smtp submission imap }"
-xmpp_ports = "{ 5222 5269 }"
-ssh_port = "42420"
-
-## Anti bruteforce
-### SSH
-#### Limite à 5 connexions simultanne par IP source
-#### Limite à 15 tentatives de connexion toutes les 5 minutes
-pass in on egress proto tcp to port $ssh_port  modulate state \
-  (max-src-conn 5, max-src-conn-rate 15/5, overload <bruteforce> flush global)
-
-#web
-pass in on egress proto tcp to port $web_ports modulate state \
-    (max-src-conn 60, max-src-conn-rate 60/1, overload <bruteforce> flush global)
-
-# mails
-## antispam
-pass in on egress proto tcp to port  $mail_ports modulate state \
-  (max-src-conn-rate 20/5, overload <bruteforce> flush global)
-pass out log on egress proto tcp to any port smtp
-
-# XMPP
-pass in on egress proto tcp to port $xmpp_ports modulate state \
-  (max-src-conn 15, max-src-conn-rate 15/5, overload <bruteforce> flush global)

default_configuration/php/php-fpm.conf

@@ -15,10 +15,10 @@ listen.owner = www
 listen.group = www
 listen.mode = 0660
 pm = dynamic
-pm.max_children = 5
-pm.start_servers = 2
+pm.max_children = 10
+pm.start_servers = 4
 pm.min_spare_servers = 1
-pm.max_spare_servers = 3
+pm.max_spare_servers = 6
 chroot = /var/www
 env[HOSTNAME] = $HOSTNAME
 env[PATH] = /usr/local/bin:/usr/bin:/bin

default_configuration/pywallter/pywallter.rc

@@ -1,15 +1,11 @@
 #!/bin/ksh
 
-daemon="/usr/local/bin/python3"
-daemon_flags="wsgi.py"
+daemon="/usr/local/bin/python3 wsgi.py"
+daemon_execdir="/home/pywallter/pywallter"
 daemon_user="pywallter"
-location="/home/pywallter/pywallter"
 
 . /etc/rc.d/rc.subr
 
-rc_start() {
-        ${rcexec} "cd ${location}; ${daemon} ${daemon_flags}"
-}
 
 rc_bg=YES
 rc_cmd $1