diff --git a/debian/install.sh b/debian/install.sh old mode 100755 new mode 100644 index a30493f9..36d1ed49 --- a/debian/install.sh +++ b/debian/install.sh @@ -38,6 +38,9 @@ echo "set mouse-=a" >> ~/.vimrc #IPTables resources/iptables.sh +#NFTables +#resources/nftables.sh + #sngrep resources/sngrep.sh diff --git a/debian/pre-install.sh b/debian/pre-install.sh old mode 100755 new mode 100644 diff --git a/debian/resources/applications.sh b/debian/resources/applications.sh old mode 100755 new mode 100644 diff --git a/debian/resources/arguments.sh b/debian/resources/arguments.sh old mode 100755 new mode 100644 diff --git a/debian/resources/backup/fusionpbx-backup b/debian/resources/backup/fusionpbx-backup old mode 100755 new mode 100644 diff --git a/debian/resources/backup/fusionpbx-maintenance b/debian/resources/backup/fusionpbx-maintenance old mode 100755 new mode 100644 diff --git a/debian/resources/colors.sh b/debian/resources/colors.sh old mode 100755 new mode 100644 diff --git a/debian/resources/config.sh b/debian/resources/config.sh old mode 100755 new mode 100644 index e54c675a..07ea59e7 --- a/debian/resources/config.sh +++ b/debian/resources/config.sh @@ -27,7 +27,7 @@ database_port=5432 # port number database_backup=false # true or false # General Settings -php_version=8.2 # PHP version 8.3, 8.2, 8.1 +php_version=8.4 # PHP version 8.4, 8.3, 8.2, 8.1 letsencrypt_folder=true # true or false # Optional Applications diff --git a/debian/resources/environment.sh b/debian/resources/environment.sh old mode 100755 new mode 100644 diff --git a/debian/resources/fail2ban.sh b/debian/resources/fail2ban.sh old mode 100755 new mode 100644 index b5cf2da3..2bea3b1a --- a/debian/resources/fail2ban.sh +++ b/debian/resources/fail2ban.sh @@ -8,6 +8,8 @@ cd "$(dirname "$0")" . ./colors.sh . ./environment.sh +FILE_PATH="/etc/iptables/rules.v4" + #send a message verbose "Installing Fail2ban" @@ -26,7 +28,17 @@ cp fail2ban/fusionpbx-mac.conf /etc/fail2ban/filter.d/fusionpbx-mac.conf cp fail2ban/fusionpbx-404.conf /etc/fail2ban/filter.d/fusionpbx-404.conf cp fail2ban/nginx-404.conf /etc/fail2ban/filter.d/nginx-404.conf cp fail2ban/nginx-dos.conf /etc/fail2ban/filter.d/nginx-dos.conf -cp fail2ban/jail.local /etc/fail2ban/jail.local +if [ ! -f "$FILE_PATH" ]; then + echo "Found nftables to be chosen, configuring system for nftables." + cp fail2ban/jail.local.nft /etc/fail2ban/jail.local + sed -i 's/iptables/nftables/g' /etc/fail2ban/jail.conf + else + echo "Default iptables was installed." + cp fail2ban/jail.local /etc/fail2ban/jail.local +fi + + + #update config if source is being used #if [ .$switch_source = .true ]; then diff --git a/debian/resources/fail2ban/freeswitch-ip.conf b/debian/resources/fail2ban/freeswitch-ip.conf old mode 100755 new mode 100644 diff --git a/debian/resources/fail2ban/freeswitch.conf b/debian/resources/fail2ban/freeswitch.conf old mode 100755 new mode 100644 diff --git a/debian/resources/fail2ban/fusionpbx-404.conf b/debian/resources/fail2ban/fusionpbx-404.conf old mode 100755 new mode 100644 diff --git a/debian/resources/fail2ban/fusionpbx.conf b/debian/resources/fail2ban/fusionpbx.conf old mode 100755 new mode 100644 diff --git a/debian/resources/fail2ban/jail.local b/debian/resources/fail2ban/jail.local old mode 100755 new mode 100644 diff --git a/debian/resources/fail2ban/jail.local.nft b/debian/resources/fail2ban/jail.local.nft new file mode 100644 index 00000000..e51082b8 --- /dev/null +++ b/debian/resources/fail2ban/jail.local.nft @@ -0,0 +1,151 @@ +[DEFAULT] +# time is in seconds. 3600 = 1 hour, 86400 = 24 hours (1 day) +#findtime = 10m #Default Value on jail.conf. Uncomment this to use another value. +#bantime = 10m #Default Value on jail.conf. Uncomment this to use another value. +#maxretry = 5 #Default Value on jail.conf. Uncomment this to use another value. +#ignoreip = ip/subnet ip/subnet #Uncomment and add IPs and subnets you don't wish to ban. +# Save your modified copy of this for future use as a drop-in replacement. + +[ssh] +enabled = true +port = 22 +protocol = ssh +filter = sshd +logpath = /var/log/auth.log +action = nftables-allports[name=sshd, protocol=all] +maxretry = 6 +findtime = 60 +bantime = 86400 + +[freeswitch] +enabled = false +port = 5060:5091 +protocol = all +filter = freeswitch +logpath = /var/log/freeswitch/freeswitch.log +#logpath = /usr/local/freeswitch/log/freeswitch.log +action = nftables-allports[name=freeswitch, protocol=all] +maxretry = 10 +findtime = 60 +bantime = 3600 +# sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org] #no smtp server installed + +[freeswitch-acl] +enabled = false +port = 5060:5091 +protocol = all +filter = freeswitch-acl +logpath = /var/log/freeswitch/freeswitch.log +#logpath = /usr/local/freeswitch/log/freeswitch.log +action = nftables-allports[name=freeswitch-acl, protocol=all] +maxretry = 900 +findtime = 60 +bantime = 86400 + +[freeswitch-ip] +enabled = false +port = 5060:5091 +protocol = all +filter = freeswitch-ip +logpath = /var/log/freeswitch/freeswitch.log +#logpath = /usr/local/freeswitch/log/freeswitch.log +action = nftables-allports[name=freeswitch-ip, protocol=all] +maxretry = 1 +findtime = 60 +bantime = 86400 + +[auth-challenge-ip] +enabled = false +port = 5060:5091 +protocol = all +filter = auth-challenge-ip +logpath = /var/log/freeswitch/freeswitch.log +#logpath = /usr/local/freeswitch/log/freeswitch.log +action = nftables-allports[name=auth-challenge-ip, protocol=all] +maxretry = 1 +findtime = 60 +bantime = 86400 + +[sip-auth-challenge] +enabled = false +port = 5060:5091 +protocol = all +filter = sip-auth-challenge +logpath = /var/log/freeswitch/freeswitch.log +#logpath = /usr/local/freeswitch/log/freeswitch.log +action = nftables-allports[name=sip-auth-challenge, protocol=all] +maxretry = 100 +findtime = 60 +bantime = 7200 + +[sip-auth-failure] +enabled = false +port = 5060:5091 +protocol = all +filter = sip-auth-failure +logpath = /var/log/freeswitch/freeswitch.log +#logpath = /usr/local/freeswitch/log/freeswitch.log +action = nftables-allports[name=sip-auth-failure, protocol=all] +maxretry = 6 +findtime = 60 +bantime = 7200 + +[fusionpbx-404] +enabled = false +port = 5060:5091 +protocol = all +filter = fusionpbx-404 +logpath = /var/log/freeswitch/freeswitch.log +#logpath = /usr/local/freeswitch/log/freeswitch.log +action = nftables-allports[name=fusionpbx-404, protocol=all] +maxretry = 6 +findtime = 60 +bantime = 86400 + +[fusionpbx] +enabled = true +port = 80,443 +protocol = tcp +filter = fusionpbx +logpath = /var/log/auth.log +action = nftables-allports[name=fusionpbx, protocol=all] +# sendmail-whois[name=fusionpbx, dest=root, sender=fail2ban@example.org] #no smtp server installed +maxretry = 20 +findtime = 60 +bantime = 3600 + +[fusionpbx-mac] +enabled = true +port = 80,443 +protocol = tcp +filter = fusionpbx-mac +logpath = /var/log/syslog +action = nftables-allports[name=fusionpbx-mac, protocol=all] +# sendmail-whois[name=fusionpbx-mac, dest=root, sender=fail2ban@example.org] #no smtp server installed +maxretry = 10 +findtime = 60 +bantime = 86400 + +[nginx-404] +enabled = true +port = 80,443 +protocol = tcp +filter = nginx-404 +logpath = /var/log/nginx/access*.log +action = nftables-allports[name=nginx-404, protocol=all] +bantime = 3600 +findtime = 60 +maxretry = 300 + +[nginx-dos] +# Based on apache-badbots but a simple IP check (any IP requesting more than +# 300 pages in 60 seconds, or 5p/s average, is suspicious) +enabled = true +port = 80,443 +protocol = tcp +filter = nginx-dos +logpath = /var/log/nginx/access*.log +action = nftables-allports[name=nginx-dos, protocol=all] +findtime = 60 +bantime = 86400 +maxretry = 800 diff --git a/debian/resources/fail2ban/nginx-404.conf b/debian/resources/fail2ban/nginx-404.conf old mode 100755 new mode 100644 diff --git a/debian/resources/fail2ban/nginx-dos.conf b/debian/resources/fail2ban/nginx-dos.conf old mode 100755 new mode 100644 diff --git a/debian/resources/fail2ban/sip-auth-failure.conf b/debian/resources/fail2ban/sip-auth-failure.conf old mode 100755 new mode 100644 diff --git a/debian/resources/finish.sh b/debian/resources/finish.sh old mode 100755 new mode 100644 diff --git a/debian/resources/fusionpbx.sh b/debian/resources/fusionpbx.sh old mode 100755 new mode 100644 diff --git a/debian/resources/ioncube.sh b/debian/resources/ioncube.sh old mode 100755 new mode 100644 diff --git a/debian/resources/iptables.sh b/debian/resources/iptables.sh old mode 100755 new mode 100644 index 87ff2601..33d2ef75 --- a/debian/resources/iptables.sh +++ b/debian/resources/iptables.sh @@ -27,6 +27,11 @@ if [ ."$os_codename" = ."bookworm" ]; then update-alternatives --set iptables /usr/sbin/iptables-legacy update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy fi +if [ ."$os_codename" = ."trixie" ]; then + apt-get install -y iptables + update-alternatives --set iptables /usr/sbin/iptables-legacy + update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy +fi #remove ufw ufw reset diff --git a/debian/resources/letsencrypt.sh b/debian/resources/letsencrypt.sh old mode 100755 new mode 100644 diff --git a/debian/resources/letsencrypt/domain_name.conf b/debian/resources/letsencrypt/domain_name.conf old mode 100755 new mode 100644 diff --git a/debian/resources/monit.sh b/debian/resources/monit.sh old mode 100755 new mode 100644 diff --git a/debian/resources/monit/shell.sh b/debian/resources/monit/shell.sh old mode 100755 new mode 100644 diff --git a/debian/resources/nftables.sh b/debian/resources/nftables.sh old mode 100755 new mode 100644 diff --git a/debian/resources/nginx.sh b/debian/resources/nginx.sh old mode 100755 new mode 100644 diff --git a/debian/resources/nginx/fusionpbx b/debian/resources/nginx/fusionpbx old mode 100755 new mode 100644 diff --git a/debian/resources/php.sh b/debian/resources/php.sh old mode 100755 new mode 100644 index f2005dff..a90abe78 --- a/debian/resources/php.sh +++ b/debian/resources/php.sh @@ -105,7 +105,7 @@ else fi fi if [ ."$os_codename" = ."trixie" ]; then - if [ ."$php_version" = ."8.2" ]; then + if [ ."$php_version" = ."8.4" ]; then /usr/bin/apt -y install apt-transport-https lsb-release ca-certificates curl wget gnupg2 /usr/bin/wget -qO- https://packages.sury.org/php/apt.gpg | gpg --dearmor > /etc/apt/keyrings/sury-php-8.x.gpg /usr/bin/chmod 644 /etc/apt/keyrings/sury-php-8.x.gpg diff --git a/debian/resources/postgresql.sh b/debian/resources/postgresql.sh old mode 100755 new mode 100644 diff --git a/debian/resources/postgresql/create.sh b/debian/resources/postgresql/create.sh old mode 100755 new mode 100644 diff --git a/debian/resources/postgresql/dsn.sh b/debian/resources/postgresql/dsn.sh old mode 100755 new mode 100644 diff --git a/debian/resources/postgresql/empty.sh b/debian/resources/postgresql/empty.sh old mode 100755 new mode 100644 diff --git a/debian/resources/postgresql/iptables.sh b/debian/resources/postgresql/iptables.sh old mode 100755 new mode 100644 diff --git a/debian/resources/postgresql/node.sh b/debian/resources/postgresql/node.sh old mode 100755 new mode 100644 diff --git a/debian/resources/postgresql/pg_hba.conf b/debian/resources/postgresql/pg_hba.conf old mode 100755 new mode 100644 diff --git a/debian/resources/postgresql/pg_hba.sh b/debian/resources/postgresql/pg_hba.sh old mode 100755 new mode 100644 diff --git a/debian/resources/postgresql/postgresql.conf b/debian/resources/postgresql/postgresql.conf old mode 100755 new mode 100644 diff --git a/debian/resources/random.sh b/debian/resources/random.sh old mode 100755 new mode 100644 diff --git a/debian/resources/reboot_phones.sh b/debian/resources/reboot_phones.sh old mode 100755 new mode 100644 diff --git a/debian/resources/reset_admin_password.sh b/debian/resources/reset_admin_password.sh old mode 100755 new mode 100644 diff --git a/debian/resources/sngrep.sh b/debian/resources/sngrep.sh old mode 100755 new mode 100644 diff --git a/debian/resources/switch.sh b/debian/resources/switch.sh old mode 100755 new mode 100644 diff --git a/debian/resources/switch/conf-copy.sh b/debian/resources/switch/conf-copy.sh old mode 100755 new mode 100644 diff --git a/debian/resources/switch/dsn.sh b/debian/resources/switch/dsn.sh old mode 100755 new mode 100644 diff --git a/debian/resources/switch/package-all.sh b/debian/resources/switch/package-all.sh old mode 100755 new mode 100644 diff --git a/debian/resources/switch/package-master-all.sh b/debian/resources/switch/package-master-all.sh old mode 100755 new mode 100644 diff --git a/debian/resources/switch/package-master.sh b/debian/resources/switch/package-master.sh old mode 100755 new mode 100644 diff --git a/debian/resources/switch/package-permissions.sh b/debian/resources/switch/package-permissions.sh old mode 100755 new mode 100644 diff --git a/debian/resources/switch/package-release.sh b/debian/resources/switch/package-release.sh old mode 100755 new mode 100644 diff --git a/debian/resources/switch/package-systemd.sh b/debian/resources/switch/package-systemd.sh old mode 100755 new mode 100644 diff --git a/debian/resources/switch/repo.sh b/debian/resources/switch/repo.sh old mode 100755 new mode 100644 diff --git a/debian/resources/switch/source-master.sh b/debian/resources/switch/source-master.sh old mode 100755 new mode 100644 diff --git a/debian/resources/switch/source-permissions.sh b/debian/resources/switch/source-permissions.sh old mode 100755 new mode 100644 diff --git a/debian/resources/switch/source-release.sh b/debian/resources/switch/source-release.sh old mode 100755 new mode 100644 diff --git a/debian/resources/switch/source-sounds.sh b/debian/resources/switch/source-sounds.sh old mode 100755 new mode 100644 diff --git a/debian/resources/switch/source-systemd.sh b/debian/resources/switch/source-systemd.sh old mode 100755 new mode 100644 diff --git a/debian/resources/switch/source-to-package.sh b/debian/resources/switch/source-to-package.sh old mode 100755 new mode 100644 diff --git a/debian/resources/switch/source/etc.default.freeswitch.package b/debian/resources/switch/source/etc.default.freeswitch.package old mode 100755 new mode 100644 diff --git a/debian/resources/switch/source/etc.default.freeswitch.source b/debian/resources/switch/source/etc.default.freeswitch.source old mode 100755 new mode 100644 diff --git a/debian/resources/switch/source/freeswitch.service.package b/debian/resources/switch/source/freeswitch.service.package old mode 100755 new mode 100644 diff --git a/debian/resources/switch/source/freeswitch.service.source b/debian/resources/switch/source/freeswitch.service.source old mode 100755 new mode 100644 diff --git a/debian/resources/upgrade/php.sh b/debian/resources/upgrade/php.sh old mode 100755 new mode 100644