/conf/fail2ban.sh |
---|
108,8 → 108,7 |
backend = auto |
filter = alcasar_mod-evasive |
action = iptables-allports[name=alcasar_mod-evasive] |
logpath = /var/log/httpd/error_log |
/var/log/httpd/ssl_error_log |
logpath = /var/log/lighttpd/access.log |
maxretry = 2 |
# Bannissement sur tout les ports après 3 refus de SSH (tentative d'accès par brute-force) |
130,8 → 129,8 |
backend = auto |
filter = alcasar_acc |
action = iptables-allports[name=alcasar_acc] |
logpath = /var/log/httpd/ssl_error_log |
maxretry = 5 |
logpath = /var/log/lighttpd/access.log |
maxretry = 6 |
# Bannissement sur tout les ports après 5 echecs de connexion pour un usager |
[alcasar_intercept] |
141,7 → 140,7 |
backend = auto |
filter = alcasar_intercept |
action = iptables-allports[name=alcasar_intercept] |
logpath = /var/log/httpd/ssl_request_log |
logpath = /var/log/lighttpd/access.log |
maxretry = 5 |
# Bannissement sur tout les port après 5 échecs de changement de mot de passe |
153,7 → 152,7 |
backend = auto |
filter = alcasar_change-pwd |
action = iptables-allports[name=alcasar_change-pwd] |
logpath = /var/log/httpd/ssl_request_log |
logpath = /var/log/lighttpd/access.log |
maxretry = 5 |
EOF |
184,7 → 183,7 |
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) |
# Values: TEXT |
# |
failregex = \[client <HOST>:[0-9]+\] .*client denied by server configuration |
failregex = <HOST> .+\] "[^"]+" 403 |
# Option: ignoreregex |
# Notes.: regex to ignore. If this regex matches, the line is ignored. |
211,7 → 210,7 |
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) |
# Values: TEXT |
# |
failregex = \[auth_digest:error\] \[client <HOST>:[0-9]+\] .*ALCASAR Control Center \(ACC\) |
failregex = <HOST> .+\] "[^"]+" 401 |
#[[]auth_digest:error[]] [[]client <HOST>:[0-9]\{1,5\}[]] |
240,7 → 239,7 |
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) |
# Values: TEXT |
# |
failregex = \[<HOST>\] \"GET \/intercept\.php\?res=failed\&reason=reject |
failregex = <HOST> .* \"GET \/intercept\.php\?res=failed\&reason=reject |
# Option: ignoreregex |
# Notes.: regex to ignore. If this regex matches, the line is ignored. |
268,7 → 267,7 |
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) |
# Values: TEXT |
# |
failregex = \[<HOST>\] \"POST \/password\.php |
failregex = <HOST> .* \"POST \/password\.php |
# Option: ignoreregex |
/conf/lighttpd/conf.d/fastcgi.conf |
---|
0,0 → 1,16 |
# FastCGI Module |
# --------------- |
# |
# http://www.lighttpd.net/documentation/fastcgi.html |
# |
server.modules += ( "mod_fastcgi" ) |
fastcgi.server = ( |
".php" => ( |
"localhost" => ( |
"socket" => "/var/lib/php-fpm/php-fpm.sock", |
"broken-scriptfilename" => "enable" |
) |
) |
) |
/conf/lighttpd/vhosts.d/alcasar.conf |
---|
0,0 → 1,89 |
$HTTP["url"] =~ ".*" { |
# Disabling directory listing as default setting |
dir-listing.activate = "disable" |
} |
# If a wrong url is used, displaying homepage for unprivileged users |
$HTTP["url"] !~ "^/(acc|save)/" { |
server.error-handler-404 = "/" |
} |
# Error pages |
server.errorfile-prefix = "/var/www/html/errors/error-" |
$SERVER["socket"] == "alcasar.localdomain:443" { |
ssl.engine = "enable" |
ssl.pemfile = "/etc/pki/tls/private/alcasar.pem" |
ssl.use-sslv2 = "disable" |
ssl.use-sslv3 = "disable" |
ssl.use-compression = "disable" |
ssl.honor-cipher-order = "enable" |
ssl.cipher-list = "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" |
var.server_name = "alcasar.localdomain" |
server.name = server_name |
server.document-root = "/var/www/html" |
} |
$HTTP["scheme"] == "https" { |
alias.url = ( |
"/save" => "/var/Save" |
) |
# Digest authentication configuration |
auth.backend = "htdigest" |
auth.debug = 1 |
auth.require = ( |
"/acc/" => |
( |
"method" => "digest", |
"realm" => "ALCASAR Control Center (ACC)", |
"require" => "valid-user" |
), |
"/save/" => |
( |
"method" => "digest", |
"realm" => "ALCASAR Control Center (ACC)", |
"require" => "valid-user" |
) |
) |
$HTTP["url"] =~ "^/(acc|save)/" { |
# Setting digest files according access permissions |
$HTTP["url"] =~ "^/acc/" { |
auth.backend.htdigest.userfile = "/usr/local/etc/digest/key_all" |
$HTTP["url"] =~ "^/acc/admin" { |
auth.backend.htdigest.userfile = "/usr/local/etc/digest/key_admin" |
} |
$HTTP["url"] =~ "^/acc/manager/" { |
auth.backend.htdigest.userfile = "/usr/local/etc/digest/key_manager" |
} |
$HTTP["url"] =~ "^/acc/backup/" { |
auth.backend.htdigest.userfile = "/usr/local/etc/digest/key_backup" |
} |
} |
$HTTP["url"] =~ "^/save" { |
auth.backend.htdigest.userfile = "/usr/local/etc/digest/key_backup" |
# Enabling directory listing |
dir-listing.activate = "enable" |
} |
} |
} |
$HTTP["scheme"] == "http" { |
# Force HTTPS for privileged users |
$HTTP["url"] =~ "^/(acc|save|(intercept|password).php)" { |
$HTTP["host"] =~ ".*" { |
url.redirect = (".*" => "https://%0$0") |
} |
} |
} |