feat: Initial Project 🎉

templates/csf.allow.j2

@@ -0,0 +1,34 @@
+###############################################################################
+# Copyright 2006-2018, Way to the Web Limited
+# URL: http://www.configserver.com
+# Email: sales@waytotheweb.com
+###############################################################################
+# The following IP addresses will be allowed through iptables.
+# One IP address per line.
+# CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24).
+# Only list IP addresses, not domain names (they will be ignored)
+#
+# Advanced port+ip filtering allowed with the following format
+# tcp/udp|in/out|s/d=port,port,...|s/d=ip
+# See readme.txt for more information
+#
+# Note: IP addressess listed in this file will NOT be ignored by lfd, so they
+# can still be blocked. If you do not want lfd to block an IP address you must
+# add it to csf.ignore
+
+# BEGIN GENERAL ALLOW LIST
+{% if ansible_env['SSH_CONNECTION'] is defined %}
+{{ ansible_env['SSH_CONNECTION'].split()[0] }} # csf SSH installation/upgrade IP address
+{% endif %}
+{% for ip in csf_allow | default([]) %}
+{{ ip }}
+{% endfor %}
+# END GENERAL ALLOW LIST
+{% if csf_allow_host is defined %}
+
+# BEGIN HOST SPECIFIC ALLOW LIST
+{% for ip in csf_allow_host | default([]) %}
+{{ ip }}
+{% endfor %}
+# END HOST SPECIFIC ALLOW LIST
+{% endif %}

templates/csf.dyndns.j2

@@ -0,0 +1,32 @@
+###############################################################################
+# Copyright 2006-2018, Way to the Web Limited
+# URL: http://www.configserver.com
+# Email: sales@waytotheweb.com
+###############################################################################
+# The following FQDN's will be allowed through the firewall. This is controlled
+# by lfd which checks the DNS resolution of the FQDN and adds the ip address
+# into the ALLOWDYNIN and ALLOWDYNOUT iptables chains. lfd will check for IP
+# updates every DYNDNS seconds if set.
+#
+# If the FQDN has multiple A records then all of the IP addresses will be
+# processed. If IPV6 is enabled and the perl module Socket6 from cpan.org is
+# installed, then all IPv6 AAAA IP address records will also be allowed.
+#
+# Only list fully qualified domain names (FQDN's) in this file, either on their
+# own to allow full access, or using Advanced Allow/Deny Filters (see
+# readme.txt)
+#
+
+# BEGIN GENERAL DYNDNS ALLOW LIST
+{% for fqdn in csf_dyndns | default([]) %}
+{{ fqdn }}
+{% endfor %}
+# END GENERAL DYNDNS ALLOW LIST
+{% if csf_dyndns_host is defined %}
+
+# BEGIN HOST SPECIFIC DYNDNS ALLOW LIST
+{% for fqdn in csf_dyndns_host %}
+{{ fqdn }}
+{% endfor %}
+# END HOST SPECIFIC DYNDNS ALLOW LIST
+{% endif %}

templates/csf.fignore.j2

@@ -0,0 +1,37 @@
+###############################################################################
+# Copyright 2006-2018, Way to the Web Limited
+# URL: http://www.configserver.com
+# Email: sales@waytotheweb.com
+###############################################################################
+# The following is a list of files that lfd directory watching will ignore. You
+# must specify the full path to the file
+#
+# You can also use perl regular expression pattern matching, for example:
+# /tmp/clamav.*
+# /tmp/.*\.wrk
+#
+# Remember that you will need to escape special characters (precede them with a
+# backslash) such as \. \?
+#
+# Pattern matching will only occur with strings containing an asterix (*),
+# otherwise full file path matching will be applied
+#
+# You can also add entries to ignore files owner by a particular user by
+# preceding it with user:, for example:
+# user:bob
+#
+# Note: files owned by root are ignored
+
+# BEGIN GENERAL FILE IGNORE LIST
+{% for file in csf_fignore | default([]) %}
+{{ file }}
+{% endfor %}
+# END GENERAL FILE IGNORE LIST
+{% if csf_fignore_host is defined %}
+
+# BEGIN HOST SPECIFIC FILE IGNORE LIST
+{% for file in csf_fignore_host %}
+{{ file }}
+{% endfor %}
+# END HOST SPECIFIC FILE IGNORE LIST
+{% endif %}

templates/csf.ignore.j2

@@ -0,0 +1,25 @@
+###############################################################################
+# Copyright 2006-2018, Way to the Web Limited
+# URL: http://www.configserver.com
+# Email: sales@waytotheweb.com
+###############################################################################
+# The following IP addresses will be ignored by all lfd checks
+# One IP address per line
+# CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24)
+# Only list IP addresses, not domain names (they will be ignored)
+#
+
+127.0.0.1
+# BEGIN GENERAL IGNORE LIST
+{% for ip in csf_ignore | default([]) %}
+{{ ip }}
+{% endfor %}
+# END GENERAL IGNORE LIST
+{% if csf_ignore_host is defined %}
+
+# BEGIN HOST SPECIFIC IGNORE LIST
+{% for ip in csf_ignore_host %}
+{{ ip }}
+{% endfor %}
+# END HOST SPECIFIC IGNORE LIST
+{% endif %}

templates/csf.pignore.j2

@@ -0,0 +1,138 @@
+###############################################################################
+# Copyright 2006-2018, Way to the Web Limited
+# URL: http://www.configserver.com
+# Email: sales@waytotheweb.com
+###############################################################################
+# The following is a list of executables (exe) command lines (cmd) and
+# usernames (user) that lfd process tracking will ignore.
+#
+# You must use the following format:
+#
+# exe:/full/path/to/file
+# user:username
+# cmd:command line
+#
+# Or, perl regular expression matching (regex):
+#
+# pexe:/full/path/to/file as a perl regex[*]
+# puser:username as a perl regex[*]
+# pcmd:command line as a perl regex[*]
+#
+# [*]You must remember to escape characters correctly when using regex's, e.g.:
+# pexe:/home/.*/public_html/cgi-bin/script\.cgi
+# puser:bob\d.*
+# pcmd:/home/.*/command\s\to\smatch\s\.pl\s.*
+#
+# It is strongly recommended that you use command line ignores very carefully
+# as any process can change what is reported to the OS.
+#
+# For more information see readme.txt
+
+exe:/bin/dbus-daemon
+exe:/sbin/ntpd
+exe:/usr/bin/dbus-daemon
+exe:/usr/bin/dbus-daemon-1
+exe:/usr/bin/lsmd
+exe:/usr/bin/postgres
+exe:/usr/bin/spamc
+exe:/usr/lib/courier-imap/bin/imapd
+exe:/usr/lib/courier-imap/bin/pop3d
+exe:/usr/lib/polkit-1/polkitd
+exe:/usr/libexec/dovecot/anvil
+exe:/usr/libexec/dovecot/auth
+exe:/usr/libexec/dovecot/dict
+exe:/usr/libexec/dovecot/imap
+exe:/usr/libexec/dovecot/imap-login
+exe:/usr/libexec/dovecot/lmtp
+exe:/usr/libexec/dovecot/pop3
+exe:/usr/libexec/dovecot/pop3-login
+exe:/usr/libexec/dovecot/quota-status
+exe:/usr/libexec/dovecot/stats
+exe:/usr/libexec/dovecot/imap-hibernate
+exe:/usr/libexec/gam_server
+exe:/usr/libexec/hald-addon-acpi
+exe:/usr/libexec/hald-addon-keyboard
+exe:/usr/libexec/mysqld
+exe:/usr/local/apache/bin/httpd
+exe:/usr/local/cpanel/3rdparty/bin/analog
+exe:/usr/local/cpanel/3rdparty/bin/english/webalizer
+exe:/usr/local/cpanel/3rdparty/bin/imapd
+exe:/usr/local/cpanel/3rdparty/bin/php
+exe:/usr/local/cpanel/3rdparty/bin/webalizer_lang/english
+exe:/usr/local/cpanel/3rdparty/php/54/bin/php-cgi
+exe:/usr/local/cpanel/3rdparty/php/56/bin/php-cgi
+exe:/usr/local/cpanel/3rdparty/php/56/sbin/php-fpm
+exe:/usr/local/cpanel/3rdparty/php/54/sbin/php-fpm
+exe:/usr/local/cpanel/3rdparty/sbin/mydns
+exe:/usr/local/cpanel/3rdparty/sbin/p0f
+exe:/usr/local/cpanel/bin/cppop
+exe:/usr/local/cpanel/bin/cppop-ssl
+exe:/usr/local/cpanel/bin/cpuwatch
+exe:/usr/local/cpanel/bin/cpwrap
+exe:/usr/local/cpanel/bin/logrunner
+exe:/usr/local/cpanel/bin/pkgacct
+exe:/usr/local/cpanel/cpanel
+exe:/usr/local/cpanel/cpdavd
+exe:/usr/local/cpanel/cpsrvd
+exe:/usr/local/cpanel/cpsrvd-ssl
+exe:/usr/local/libexec/dovecot/imap
+exe:/usr/local/libexec/dovecot/imap-login
+exe:/usr/local/libexec/dovecot/pop3
+exe:/usr/local/libexec/dovecot/pop3-login
+exe:/usr/local/urchin/bin/urchinwebd
+exe:/usr/sbin/chronyd
+exe:/usr/sbin/exim
+exe:/usr/sbin/exim
+exe:/usr/sbin/hald
+exe:/usr/sbin/httpd
+exe:/usr/sbin/mysqld
+exe:/usr/sbin/mysqld_safe
+exe:/usr/sbin/named
+exe:/usr/sbin/nscd
+exe:/usr/sbin/nsd
+exe:/usr/sbin/ntpd
+exe:/usr/sbin/proftpd
+exe:/usr/sbin/pure-ftpd
+exe:/usr/sbin/sshd
+exe:/var/cpanel/3rdparty/bin/php
+exe:/usr/sbin/pdns_server
+exe:/usr/local/cpanel/bin/autossl_check
+exe:/usr/local/cpanel/bin/whm_xfer_download-ssl
+pexe:^/usr/lib/jvm/java-.*/jre/bin/java$
+exe:/usr/libexec/dovecot/indexer-worker
+exe:/usr/libexec/dovecot/indexer
+pexe:/usr/local/cpanel/3rdparty/bin/git.*
+pexe:/usr/local/cpanel/3rdparty/libexec/git-core/git.*
+
+# Some additional entries that you might want to ignore on cPanel servers.
+# However, be aware of the security implications under "Process Tracking" in
+# the csf readme.txt when using these:
+#
+#cmd:/bin/sh /usr/bin/mysqld_safe
+#cmd:/bin/sh /usr/bin/mysqld_safe --basedir=/usr
+#cmd:spamd child
+#pcmd:/usr/local/cpanel/3rdparty/bin/python /usr/local/cpanel/3rdparty/mailman/bin/qrunner.*
+#pcmd:/usr/local/cpanel/3rdparty/bin/python /usr/local/cpanel/3rdparty/mailman/bin/mailmanctl.*
+#pcmd:/usr/bin/python.? /usr/local/cpanel/3rdparty/mailman/bin/qrunner.*
+#pcmd:/usr/bin/python.? /usr/local/cpanel/3rdparty/mailman/bin/mailmanctl.*
+#pcmd:/usr/bin/perl /usr/local/cpanel/3rdparty/bin/awstats\.pl.*
+#pcmd:/usr/bin/perl /usr/local/cpanel/base/awstats\.pl.*
+#pcmd:cpanellogd - (http|ftp) logs for .*
+#pcmd:ubic-guardian ubic-periodic.*
+#pcmd:perl /usr/local/cpanel/3rdparty/perl/\d+/bin/ubic-periodic.*
+#pcmd:MailScanner:.*
+
+# BEGIN GENERAL PROCESS IGNORE LIST
+{% for process in csf_pignore | default([]) %}
+{{ process }}
+{% endfor %}
+# END GENERAL PROCESS IGNORE LIST
+{% if csf_pignore_host is defined %}
+
+# BEGIN HOST SPECIFIC PROCESS IGNORE LIST
+{% for process in csf_pignore_host  %}
+{{ process }}
+{% endfor %}
+# END HOST SPECIFIC PROCESS IGNORE LIST
+
+{% endif %}