diff options
Diffstat (limited to 'debian13/etc')
| -rw-r--r-- | debian13/etc/fail2ban/jail.local | 107 | ||||
| -rw-r--r-- | debian13/etc/nginx/conf.d/antispam.conf | 1 | ||||
| -rw-r--r-- | debian13/etc/nginx/sites-available/dns.mielota.com | 10 | ||||
| -rw-r--r-- | debian13/etc/nginx/sites-available/mail.mielota.com | 10 | ||||
| -rw-r--r-- | debian13/etc/nginx/sites-available/mielota.com | 38 | ||||
| -rw-r--r-- | debian13/etc/systemd/system/blocky.service | 16 |
6 files changed, 182 insertions, 0 deletions
diff --git a/debian13/etc/fail2ban/jail.local b/debian13/etc/fail2ban/jail.local new file mode 100644 index 0000000..2202c3e --- /dev/null +++ b/debian13/etc/fail2ban/jail.local @@ -0,0 +1,107 @@ +# My personnal fail2ban jail config :) +# +# It's a really evil config, you should raise the value of +# "maxretry" accross the file and lower bantime +# to not block legitimate users (like you). +# +# For the "filters", see /etc/fail2ban/filters.d/ +# (these are files managed by Fail2Ban and your Package Manager) + + +# Default values +# They can be overriden by each subsections + +[DEFAULT] +bantime = 24h +findtime = 6h +bantime.increment = true +maxretry = 2 +action = iptables-allports +backend = auto +# ignoreip won't ban specified IP addresses +# Put the local IPs of your network if desired +# For example if they all start with 192.168.0 +ignoreip = 192.168.0.0/24 + +# SSH +# Enable it if you use SSH outside of your local network. + +[sshd] +enabled = false +port = ssh +logpath = %(sshd_log)s +maxretry = 3 +bantime = 3700 +findtime = 3600 + +# Nginx configuration +# On debian 13 (for now) the nginx filters don't work +# if we don't define "backend = auto" (See [DEFAULT] section) +# They also don't work without specifying the logpath + +[nginx-bad-request] +enabled = true +port = http,https +logpath = /var/log/nginx/access.log +filter = nginx-bad-request + +[nginx-botsearch] +enabled = true +port = http,https +logpath = /var/log/nginx/access.log +filter = nginx-botsearch + +# Only triggers if limit req is enabled in your nginx conf +# See mine at etc/nginx/conf.d/antispam.conf +# And the line in etc/nginx/sites-available/mielota.com +[nginx-limit-req] +enabled = true +port = http,https +log_path = /var/log/nginx/error.log +filter = nginx-limit-req + +[nginx-forbidden] +enabled = true +port = http,https +logpath = /var/log/nginx/access.log + /var/log/nginx/error.log +filter = nginx-forbidden + +# [nginx-error-common] +# enabled = true +# port = http,https +# logpath = /var/log/nginx/access.log +# /var/log/nginx/error.log +# filter = nginx-error-common + +# [nginx-http-auth] +# enabled = true +# port = http,https +# logpath = /var/log/nginx/access.log +# /var/log/nginx/error.log +# filter = nginx-http-auth + +# EMAIL SERVER CONFIGURATION +# HARDENED https://github.com/lukesmithxyz/emailwiz + +# If you used emailwiz.sh, the script created a file named +# emailwiz.local in etc/fail2ban/jail.d/ +# Remove it if you are going to use the configuration below + +[postfix-sasl] +enabled = true +maxretry = 0 + +[sieve] +enabled = true +maxretry = 0 + +[postfix] +enabled = true +mode = aggressive +maxretry = 0 + +[dovecot] +enabled = true +mode = aggressive +maxretry = 0 diff --git a/debian13/etc/nginx/conf.d/antispam.conf b/debian13/etc/nginx/conf.d/antispam.conf new file mode 100644 index 0000000..2bbae91 --- /dev/null +++ b/debian13/etc/nginx/conf.d/antispam.conf @@ -0,0 +1 @@ +limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=1r/s; diff --git a/debian13/etc/nginx/sites-available/dns.mielota.com b/debian13/etc/nginx/sites-available/dns.mielota.com new file mode 100644 index 0000000..1bfb1b2 --- /dev/null +++ b/debian13/etc/nginx/sites-available/dns.mielota.com @@ -0,0 +1,10 @@ +server { + listen 80; + listen [::]:80; + + server_name dns.mielota.com; + + location / { + proxy_pass http://127.0.0.1:4000; + } +} diff --git a/debian13/etc/nginx/sites-available/mail.mielota.com b/debian13/etc/nginx/sites-available/mail.mielota.com new file mode 100644 index 0000000..545deca --- /dev/null +++ b/debian13/etc/nginx/sites-available/mail.mielota.com @@ -0,0 +1,10 @@ +server { + server_name mail.mielota.com; + + listen 80; + listen [::]:80; + + location / { + try_files $uri $uri/ =404; + } +} diff --git a/debian13/etc/nginx/sites-available/mielota.com b/debian13/etc/nginx/sites-available/mielota.com new file mode 100644 index 0000000..6011611 --- /dev/null +++ b/debian13/etc/nginx/sites-available/mielota.com @@ -0,0 +1,38 @@ +server { + listen 80; + listen [::]:80; + + server_name mielota.com; + + # Limit requests + limit_req zone=req_limit_per_ip burst=5 nodelay; + + root /var/www/mielota.com/public; + index index.html; + + location ~* \.(?:jpg|jpeg|gif|png|ico|svg|webp)$ { + expires 1M; + access_log off; + add_header Cache-Control "max-age=2629746, public"; + } + location ~* \.(?:css|js)$ { + expires 1y; + access_log off; + add_header Cache-Control "max-age=31556952, public"; + } + gzip on; + gzip_min_length 1100; + gzip_buffers 4 32k; + gzip_types text/plain application/x-javascript text/xml text/css; + gzip_vary on; + + # File not found ? + location / { + try_files $uri $uri/ =404; + } + + # 404 custom page + error_page 404 /404.html; + + rewrite ^/march.sh$ https://codeberg.org/mielota/dox/raw/branch/main/home/.local/bin/march.sh permanent; +} diff --git a/debian13/etc/systemd/system/blocky.service b/debian13/etc/systemd/system/blocky.service new file mode 100644 index 0000000..8b5e46a --- /dev/null +++ b/debian13/etc/systemd/system/blocky.service @@ -0,0 +1,16 @@ +[Unit] +Description=Blocky DNS +After=syslog.target +After=network.target + +[Service] +RestartSec=10s +Type=simple +User=blocky +Group=blocky +WorkingDirectory=/opt/blocky/ +ExecStart=/opt/blocky/blocky -c blocky.yml +Restart=always + +[Install] +WantedBy=multi-user.target |