| @@ -0,0 +1,60 @@ | ||
| #### ipv4 networking and equivalent ipv6 parameters #### | ||
|
|
||
| ## TCP SYN cookie protection (default) | ||
| ## helps protect against SYN flood attacks | ||
| ## only kicks in when net.ipv4.tcp_max_syn_backlog is reached | ||
| net.ipv4.tcp_syncookies = 1 | ||
|
|
||
| ## protect against tcp time-wait assassination hazards | ||
| ## drop RST packets for sockets in the time-wait state | ||
| ## (not widely supported outside of linux, but conforms to RFC) | ||
| net.ipv4.tcp_rfc1337 = 1 | ||
|
|
||
| ## sets the kernels reverse path filtering mechanism to value 1(on) | ||
| ## will do source validation of the packet's recieved from all the interfaces on the machine | ||
| ## protects from attackers that are using ip spoofing methods to do harm | ||
| net.ipv4.conf.all.rp_filter = 1 | ||
| net.ipv6.conf.all.rp_filter = 1 | ||
|
|
||
| ## tcp timestamps | ||
| ## + protect against wrapping sequence numbers (at gigabit speeds) | ||
| ## + round trip time calculation implemented in TCP | ||
| ## - causes extra overhead and allows uptime detection by scanners like nmap | ||
| ## enable @ gigabit speeds | ||
| net.ipv4.tcp_timestamps = 0 | ||
| #net.ipv4.tcp_timestamps = 1 | ||
|
|
||
| ## log martian packets | ||
| net.ipv4.conf.all.log_martians = 1 | ||
|
|
||
| ## ignore echo broadcast requests to prevent being part of smurf attacks (default) | ||
| net.ipv4.icmp_echo_ignore_broadcasts = 1 | ||
|
|
||
| ## ignore bogus icmp errors (default) | ||
| net.ipv4.icmp_ignore_bogus_error_responses = 1 | ||
|
|
||
| ## send redirects (not a router, disable it) | ||
| net.ipv4.conf.all.send_redirects = 0 | ||
|
|
||
| ## ICMP routing redirects (only secure) | ||
| #net.ipv4.conf.all.secure_redirects = 1 (default) | ||
| net/ipv4/conf/default/accept_redirects=0 | ||
| net/ipv4/conf/all/accept_redirects=0 | ||
| net/ipv6/conf/default/accept_redirects=0 | ||
| net/ipv6/conf/all/accept_redirects=0 | ||
|
|
||
| # Contains, as a percentage of total system memory, the number of pages at which | ||
| # a process which is generating disk writes will start writing out dirty data. | ||
| vm.dirty_ratio = 3 | ||
|
|
||
| # Contains, as a percentage of total system memory, the number of pages at which | ||
| # the background kernel flusher threads will start writing out dirty data. | ||
| vm.dirty_background_ratio = 2 | ||
|
|
||
| kernel.dmesg_restrict = 1 | ||
| #kernel.kptr_restrict = 1 | ||
| kernel.randomize_va_space = 1 | ||
| net.netfilter.nf_conntrack_tcp_timeout_established = 360 | ||
| fs.protected_hardlinks = 1 | ||
| fs.protected_symlinks = 1 | ||
| net.ipv4.tcp_synack_retries = 2 |
| @@ -0,0 +1,4 @@ | ||
| [Match] | ||
| Name=wl* | ||
| [Network] | ||
| DHCP=ipv4 |
| @@ -0,0 +1,16 @@ | ||
| #!/bin/env bash | ||
| ############################################################################################################################################################################################################### | ||
| hostname="host-" | ||
| hostname+=$(date | md5sum | sed 's/...$//') | ||
| echo ${hostname} > /proc/sys/kernel/hostname | ||
| echo ${hostname} > /etc/hostname | ||
| unset hostname | ||
| ############################################################################################################################################################################################################### | ||
| echo 360 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established | ||
| mv /root/09-gnupg.rules /etc/udev/rules.d/ | ||
| chown root:network /etc/wpa_supplicant | ||
| chmod 770 /etc/wpa_supplicant | ||
| ############################################################################################################################################################################################################### | ||
| while [[ $(ls /sys/class/net) == "lo" ]];do sleep 1;done | ||
| for i in $(ls /sys/class/net);do if [[ ${i} != lo ]];then macchanger -rb ${i};fi;done | ||
| ############################################################################################################################################################################################################### |
| @@ -0,0 +1,3 @@ | ||
| [Service] | ||
| ExecStart= | ||
| ExecStart=-/sbin/agetty --autologin anon --noclear %I 38400 linux |
| @@ -0,0 +1,194 @@ | ||
| #AutomapHostsOnResolve 1 | ||
| #AutomapHostsSuffixes .exit,.onion | ||
| ## Configuration file for a typical Tor user | ||
| ## Last updated 22 April 2012 for Tor 0.2.3.14-alpha. | ||
| ## (may or may not work for much older or much newer versions of Tor.) | ||
| ## | ||
| ## Lines that begin with "## " try to explain what's going on. Lines | ||
| ## that begin with just "#" are disabled commands: you can enable them | ||
| ## by removing the "#" symbol. | ||
| ## | ||
| ## See 'man tor', or https://www.torproject.org/docs/tor-manual.html, | ||
| ## for more options you can use in this file. | ||
| ## | ||
| ## Tor will look for this file in various places based on your platform: | ||
| ## https://www.torproject.org/docs/faq#torrc | ||
|
|
||
| ## Tor opens a socks proxy on port 9050 by default -- even if you don't | ||
| ## configure one below. Set "SocksPort 0" if you plan to run Tor only | ||
| ## as a relay, and not make any local application connections yourself. | ||
| #SocksPort 9050 # Default: Bind to localhost:9050 for local connections. | ||
| VirtualAddrNetworkIPv4 10.192.0.0/10 | ||
| AutomapHostsOnResolve 1 | ||
| TransPort 9051 | ||
| DNSPort 9053 | ||
| #SocksPort 10.0.0.1:9050 # Bind to this adddress:port too. | ||
| ## Entry policies to allow/deny SOCKS requests based on IP address. | ||
| ## First entry that matches wins. If no SocksPolicy is set, we accept | ||
| ## all (and only) requests that reach a SocksPort. Untrusted users who | ||
| ## can access your SocksPort may be able to learn about the connections | ||
| ## you make. | ||
| #SocksPolicy accept 192.168.0.0/16 | ||
| #SocksPolicy reject * | ||
|
|
||
| ## Logs go to stdout at level "notice" unless redirected by something | ||
| ## else, like one of the below lines. You can have as many Log lines as | ||
| ## you want. | ||
| ## | ||
| ## We advise using "notice" in most cases, since anything more verbose | ||
| ## may provide sensitive information to an attacker who obtains the logs. | ||
| ## | ||
| ## Send all messages of level 'notice' or higher to /var/log/tor/notices.log | ||
| #Log notice file /var/log/tor/notices.log | ||
| ## Send every possible message to /var/log/tor/debug.log | ||
| #Log debug file /var/log/tor/debug.log | ||
| ## Use the system log instead of Tor's logfiles | ||
| Log notice syslog | ||
| ## To send all messages to stderr: | ||
| #Log debug stderr | ||
|
|
||
| ## Uncomment this to start the process in the background... or use | ||
| ## --runasdaemon 1 on the command line. This is ignored on Windows; | ||
| ## see the FAQ entry if you want Tor to run as an NT service. | ||
| #RunAsDaemon 1 | ||
|
|
||
| ## The directory for keeping all the keys/etc. By default, we store | ||
| ## things in $HOME/.tor on Unix, and in Application Data\tor on Windows. | ||
| DataDirectory /var/lib/tor | ||
|
|
||
| ## The port on which Tor will listen for local connections from Tor | ||
| ## controller applications, as documented in control-spec.txt. | ||
| #ControlPort 9051 | ||
| ## If you enable the controlport, be sure to enable one of these | ||
| ## authentication methods, to prevent attackers from accessing it. | ||
| #HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C | ||
| #CookieAuthentication 1 | ||
|
|
||
| ############### This section is just for location-hidden services ### | ||
|
|
||
| ## Once you have configured a hidden service, you can look at the | ||
| ## contents of the file ".../hidden_service/hostname" for the address | ||
| ## to tell people. | ||
| ## | ||
| ## HiddenServicePort x y:z says to redirect requests on port x to the | ||
| ## address y:z. | ||
|
|
||
| #HiddenServiceDir /var/lib/tor/hidden_service/ | ||
| #HiddenServicePort 80 127.0.0.1:80 | ||
|
|
||
| #HiddenServiceDir /var/lib/tor/other_hidden_service/ | ||
| #HiddenServicePort 80 127.0.0.1:80 | ||
| #HiddenServicePort 22 127.0.0.1:22 | ||
|
|
||
| ################ This section is just for relays ##################### | ||
| # | ||
| ## See https://www.torproject.org/docs/tor-doc-relay for details. | ||
|
|
||
| ## Required: what port to advertise for incoming Tor connections. | ||
| #ORPort 9001 | ||
| ## If you want to listen on a port other than the one advertised in | ||
| ## ORPort (e.g. to advertise 443 but bind to 9090), you can do it as | ||
| ## follows. You'll need to do ipchains or other port forwarding | ||
| ## yourself to make this work. | ||
| #ORPort 443 NoListen | ||
| #ORPort 127.0.0.1:9090 NoAdvertise | ||
|
|
||
| ## The IP address or full DNS name for incoming connections to your | ||
| ## relay. Leave commented out and Tor will guess. | ||
| #Address noname.example.com | ||
|
|
||
| ## If you have multiple network interfaces, you can specify one for | ||
| ## outgoing traffic to use. | ||
| # OutboundBindAddress 10.0.0.5 | ||
|
|
||
| ## A handle for your relay, so people don't have to refer to it by key. | ||
| #Nickname ididnteditheconfig | ||
|
|
||
| ## Define these to limit how much relayed traffic you will allow. Your | ||
| ## own traffic is still unthrottled. Note that RelayBandwidthRate must | ||
| ## be at least 20 KB. | ||
| ## Note that units for these config options are bytes per second, not bits | ||
| ## per second, and that prefixes are binary prefixes, i.e. 2^10, 2^20, etc. | ||
| #RelayBandwidthRate 100 KB # Throttle traffic to 100KB/s (800Kbps) | ||
| #RelayBandwidthBurst 200 KB # But allow bursts up to 200KB/s (1600Kbps) | ||
|
|
||
| ## Use these to restrict the maximum traffic per day, week, or month. | ||
| ## Note that this threshold applies separately to sent and received bytes, | ||
| ## not to their sum: setting "4 GB" may allow up to 8 GB total before | ||
| ## hibernating. | ||
| ## | ||
| ## Set a maximum of 4 gigabytes each way per period. | ||
| #AccountingMax 4 GB | ||
| ## Each period starts daily at midnight (AccountingMax is per day) | ||
| #AccountingStart day 00:00 | ||
| ## Each period starts on the 3rd of the month at 15:00 (AccountingMax | ||
| ## is per month) | ||
| #AccountingStart month 3 15:00 | ||
|
|
||
| ## Contact info to be published in the directory, so we can contact you | ||
| ## if your relay is misconfigured or something else goes wrong. Google | ||
| ## indexes this, so spammers might also collect it. | ||
| #ContactInfo Random Person <nobody AT example dot com> | ||
| ## You might also include your PGP or GPG fingerprint if you have one: | ||
| #ContactInfo 0xFFFFFFFF Random Person <nobody AT example dot com> | ||
|
|
||
| ## Uncomment this to mirror directory information for others. Please do | ||
| ## if you have enough bandwidth. | ||
| #DirPort 9030 # what port to advertise for directory connections | ||
| ## If you want to listen on a port other than the one advertised in | ||
| ## DirPort (e.g. to advertise 80 but bind to 9091), you can do it as | ||
| ## follows. below too. You'll need to do ipchains or other port | ||
| ## forwarding yourself to make this work. | ||
| #DirPort 80 NoListen | ||
| #DirPort 127.0.0.1:9091 NoAdvertise | ||
| ## Uncomment to return an arbitrary blob of html on your DirPort. Now you | ||
| ## can explain what Tor is if anybody wonders why your IP address is | ||
| ## contacting them. See contrib/tor-exit-notice.html in Tor's source | ||
| ## distribution for a sample. | ||
| #DirPortFrontPage /etc/tor/tor-exit-notice.html | ||
|
|
||
| ## Uncomment this if you run more than one Tor relay, and add the identity | ||
| ## key fingerprint of each Tor relay you control, even if they're on | ||
| ## different networks. You declare it here so Tor clients can avoid | ||
| ## using more than one of your relays in a single circuit. See | ||
| ## https://www.torproject.org/docs/faq#MultipleRelays | ||
| ## However, you should never include a bridge's fingerprint here, as it would | ||
| ## break its concealability and potentionally reveal its IP/TCP address. | ||
| #MyFamily $keyid,$keyid,... | ||
|
|
||
| ## A comma-separated list of exit policies. They're considered first | ||
| ## to last, and the first match wins. If you want to _replace_ | ||
| ## the default exit policy, end this with either a reject *:* or an | ||
| ## accept *:*. Otherwise, you're _augmenting_ (prepending to) the | ||
| ## default exit policy. Leave commented to just use the default, which is | ||
| ## described in the man page or at | ||
| ## https://www.torproject.org/documentation.html | ||
| ## | ||
| ## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses | ||
| ## for issues you might encounter if you use the default exit policy. | ||
| ## | ||
| ## If certain IPs and ports are blocked externally, e.g. by your firewall, | ||
| ## you should update your exit policy to reflect this -- otherwise Tor | ||
| ## users will be told that those destinations are down. | ||
| ## | ||
| ## For security, by default Tor rejects connections to private (local) | ||
| ## networks, including to your public IP address. See the man page entry | ||
| ## for ExitPolicyRejectPrivate if you want to allow "exit enclaving". | ||
| ## | ||
| #ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more | ||
| #ExitPolicy accept *:119 # accept nntp as well as default exit policy | ||
| #ExitPolicy reject *:* # no exits allowed | ||
|
|
||
| ## Bridge relays (or "bridges") are Tor relays that aren't listed in the | ||
| ## main directory. Since there is no complete public list of them, even an | ||
| ## ISP that filters connections to all the known Tor relays probably | ||
| ## won't be able to block all the bridges. Also, websites won't treat you | ||
| ## differently because they won't know you're running Tor. If you can | ||
| ## be a real relay, please do; but if not, be a bridge! | ||
| #BridgeRelay 1 | ||
| ## By default, Tor will advertise your bridge to users through various | ||
| ## mechanisms like https://bridges.torproject.org/. If you want to run | ||
| ## a private bridge, for example because you'll give out your bridge | ||
| ## address manually to your friends, uncomment this line: | ||
| #PublishServerDescriptor 0 | ||
|
|
| @@ -0,0 +1,2 @@ | ||
| KEYMAP=uk | ||
| FONT=Lat2-Terminus16 |
| @@ -0,0 +1,13 @@ | ||
| runtime! archlinux.vim | ||
|
|
||
| set nobackup | ||
| set nowritebackup | ||
| set noswapfile | ||
| set viminfo="NONE" | ||
| syntax enable | ||
| set number | ||
| set tabstop=2 | ||
| set shiftwidth=2 | ||
| set expandtab | ||
| set nowrap | ||
|
|
| @@ -0,0 +1,2 @@ | ||
| ctrl_interface=/run/wpa_supplicant | ||
| update_config=1 |
| @@ -0,0 +1 @@ | ||
| unknown () |
| @@ -0,0 +1 @@ | ||
| MANIFEST-000001 |
| @@ -0,0 +1,3 @@ | ||
| 2015/09/10-00:21:53.280 8072 Reusing MANIFEST /home/user/.config/chromium/Default/Extension State/MANIFEST-000001 | ||
| 2015/09/10-00:21:53.281 8072 Recovering log #3 | ||
| 2015/09/10-00:21:53.281 8072 Reusing old log /home/user/.config/chromium/Default/Extension State/000003.log |
| @@ -0,0 +1 @@ | ||
| 2015/09/10-00:21:09.809 7858 Reusing MANIFEST /home/user/.config/chromium/Default/Extension State/MANIFEST-000001 |
| @@ -0,0 +1 @@ | ||
| Chromium settings and storage represent user-selected preferences and information and MUST not be extracted, overwritten or modified except through Chromium defined APIs. |
| @@ -0,0 +1 @@ | ||
| {"protection":{"macs":{},"super_mac":"22F8EEA909400AF98ADF3681A9F31923EF6B7FCBA4ABB553D92823A3E9D5C25E"}} |
| @@ -0,0 +1 @@ | ||
| MANIFEST-000001 |
| @@ -0,0 +1 @@ | ||
| 2015/09/10-00:22:00.208 8070 Reusing MANIFEST /home/user/.config/chromium/Default/Session Storage/MANIFEST-000001 |
| @@ -0,0 +1 @@ | ||
| MANIFEST-000001 |
| @@ -0,0 +1 @@ | ||
| 2015/09/10-00:23:42.665 8070 Reusing MANIFEST /home/user/.config/chromium/Default/Thumbnails/MANIFEST-000001 |
| @@ -0,0 +1 @@ | ||
| {"app_list":{"app_launch_count":0,"last_app_launch_ping":"13086316800000000","last_launch_ping":"13086316800000000","launch_count":0},"background_mode":{"enabled":false},"browser":{"enabled_labs_experiments":["clear-data-reduction-proxy-data-savings","data-reduction-proxy-lo-fi@3","device-discovery-notifications@2","disable-cast-streaming-hw-encoding","disable-delay-agnostic-aec","disable-encrypted-media","disable-hyperlink-auditing","disable-javascript-harmony-shipping","disable-media-source","disable-new-video-renderer","disable-prefixed-encrypted-media","disable-webgl","enable-affiliation-based-matching@2","enable-drop-sync-credential@2","enable-offline-auto-reload-visible-only@2","enable-offline-auto-reload@2","enable-password-link@2","enable-quic@2","enable-save-password-bubble@2","enable-simple-cache-backend@1"],"last_redirect_origin":""},"easy_unlock":{"user_prefs":{"":{"easy_unlock.proximity_required":false}}},"hardware_acceleration_mode":{"enabled":false},"hardware_acceleration_mode_previous":false,"ntp":{"promo_resource_cache_update":"1441844473.545672"},"policy":{"last_statistics_update":"13086318068544536"},"profile":{"add_person_enabled":false,"browser_guest_enabled":false,"info_cache":{"Default":{"active_time":1441844468.682408,"avatar_icon":"chrome://theme/IDR_PROFILE_AVATAR_14","background_apps":false,"gaia_id":"","is_ephemeral":false,"is_omitted_from_profile_list":false,"is_using_default_avatar":false,"is_using_default_name":false,"managed_user_id":"","name":"user","use_gaia_picture":false,"user_name":""}},"last_active_profiles":[]},"rappor":{"cohort_seed":313,"secret":"FzJ/GdWZvAkEYCvN1Tb8Xa6Dy+2IiPtboFijiFIvFGc11cbuQp2JrijmYj8AmcTf"},"show-first-run-bubble-option":0,"shutdown":{"num_processes":0,"num_processes_slow":0,"type":0},"uninstall_metrics":{"installation_date2":"1441844468","launch_count":"2"},"user_experience_metrics":{"low_entropy_source2":6987,"session_id":1,"stability":{"breakpad_registration_fail":2,"child_process_crash_count":0,"crash_count":0,"debugger_not_present":2,"execution_phase":700,"exited_cleanly":true,"extension_renderer_crash_count":0,"incomplete_session_end_count":0,"last_timestamp_sec":"1441844879","launch_count":2,"launch_time_sec":"1441844512","page_load_count":0,"plugin_stats2":[{"crashes":0,"instances":0,"launches":1,"loading_errors":0,"name":"Chromium PDF Viewer"}],"renderer_crash_count":0,"renderer_hang_count":0,"session_end_completed":true,"stats_buildtime":"1220371200","stats_version":"45.0.2454.85-64-devel"}},"was":{"restarted":false}} |
| @@ -0,0 +1 @@ | ||
| {"cloud_print":{"proxy_id":"DD4D97E4-46BB-41D0-A187-5D9000BE9013"}} |
| @@ -0,0 +1,25 @@ | ||
| # Beware! This file is rewritten by htop when settings are changed in the interface. | ||
| # The parser is also very primitive, and not human-friendly. | ||
| fields=0 48 46 47 62 63 49 1 | ||
| sort_key=46 | ||
| sort_direction=1 | ||
| hide_threads=0 | ||
| hide_kernel_threads=1 | ||
| hide_userland_threads=1 | ||
| shadow_other_users=1 | ||
| show_thread_names=1 | ||
| highlight_base_name=1 | ||
| highlight_megabytes=1 | ||
| highlight_threads=1 | ||
| tree_view=1 | ||
| header_margin=1 | ||
| detailed_cpu_time=1 | ||
| cpu_count_from_zero=1 | ||
| update_process_names=1 | ||
| account_guest_in_cpu_meter=1 | ||
| color_scheme=0 | ||
| delay=15 | ||
| left_meters=LeftCPUs Memory Swap | ||
| left_meter_modes=1 1 1 | ||
| right_meters=RightCPUs Hostname Uptime | ||
| right_meter_modes=1 2 2 |
| @@ -0,0 +1,12 @@ | ||
| conky.config = { | ||
| out_to_x = false, | ||
| out_to_console = true, | ||
| out_to_stderr = false, | ||
| background = false, | ||
| update_interval = 2, | ||
| total_run_times = 0, | ||
| use_spacer = none, | ||
| }; | ||
| conky.text = [[ | ||
| ${if_existing /home/user/ssh/id_rsa-cert.pub}${if_existing /home/user/sshd/ssh_host_rsa_key-cert.pub}[ network_enabled ]${endif}${endif} ${if_existing /dev/archiso}[ plugged ]${endif} ${if_existing /tmp/unlocked}[ unlocked ]${endif} [ CPU: ${cpu cpu0}% ] [ RAM: ${memperc}% ] [ ${uptime} | ${time %a %b %d %I:%M%P} ] [ Battery: ${battery_percent BAT0}% ] | ||
| ]]; |
| @@ -0,0 +1,4 @@ | ||
| xrdb ~/.Xresources | ||
| setxkbmap gb | ||
| (conky|while read -r;do xsetroot -name "$REPLY";done)& | ||
| exec dwm |
| @@ -0,0 +1,98 @@ | ||
| https://www.canarywatch.org/ | ||
| http://torlinkbgs6aabns.onion/ | ||
| http://xmh57jrzrnw6insl.onion/ | ||
| http://thehiddenwiki.org/ | ||
| http://skunksworkedp2cg.onion/sites.html | ||
| http://3g2upl4pq6kufc4m.onion/ | ||
| http://hss3uro2hsxfogfq.onion/ | ||
| http://torvps7kzis5ujfz.onion/~user/ | ||
| http://kbhpodhnfxl3clb4.onion/ | ||
| http://7jwxg5rakyfvikpi.onion/ | ||
| http://outforumbpapnpqr.onion/ | ||
| http://rso4hutlefirefqp.onion/ | ||
| http://smoker32pk4qt3mx.onion/ | ||
| http://fzqnrlcvhkgbdwx5.onion/ | ||
| http://kbvbh4kdddiha2ht.onion/ | ||
| http://s5q54hfww56ov2xc.onion/ | ||
| http://ll6lardicrvrljvq.onion/ | ||
| http://25ffhnaechrbzwf3.onion/ | ||
| http://shopsat2dotfotbs.onion/ | ||
| http://en35tuzqmn4lofbk.onion/ | ||
| http://vfqnd6mieccqyiit.onion/ | ||
| http://abraxasdegupusel.onion/register/JIYi9utdux | ||
| http://pwoah7foa6au2pul.onion/forum/ | ||
| http://newpdsuslmzqazvr.onion/ | ||
| http://mango7u3rivtwxy7.onion/hi/ | ||
| http://ckotfxg3kcmy5mx6.onion | ||
| http://fzjini5w5jdqpw5r.onion | ||
| http://ebz7hn4cmot3p3jq.onion | ||
| http://zhhvkjfw76bcmogw.onion | ||
| http://ts6qrnwem375kg3c.onion | ||
| http://kjj2txjneira6koo.onion | ||
| http://34mgnmkmmi2kwier.onion | ||
| http://3zqqkgrbyo6cqzkd.onion | ||
| http://f3oqufgj3cukl7bu.onion | ||
| http://i25c62nvu4cgeqyz.onion | ||
| http://b7w2gy5fn5lenigv.onion | ||
| http://nucleuspf3izq7o6.onion | ||
| http://bm26rwk32m7u7rec.onion | ||
| http://tochka3evlj3sxdv.onion | ||
| http://ltxocqh4nvwkofil.onion | ||
| http://pwoah7foa6au2pul.onion | ||
| http://ramp2bombkadwvgz.onion | ||
| http://g4c35ipwiutqccly.onion | ||
| http://mithrakushhvfyto.onion | ||
| http://tortalkmcguzevvz.onion | ||
| http://tornadoputkhrvfq.onion | ||
| http://ltxocqh4nvwkofil.onion | ||
| http://kissmpg5zave56f4.onion | ||
| http://6dez37hcrz7hpvlz.onion | ||
| http://armoryx7kvdq3jds.onion | ||
| http://7iotvmzd35c4d2eu.onion | ||
| http://amazon435hm6h3ye.onion | ||
| http://cloudninetve7kme.onion | ||
| http://ubporpt5fm4pohsf.onion | ||
| http://spr3udtjiegxevzt.onion | ||
| http://abraxasderinuupa.onion | ||
| http://www.deepdotweb.com/forum | ||
| https://check.torproject.org | ||
| http://abraxasgacelesox.onion | ||
| http://kth2mwuwlkezwziy.onion | ||
| http://zw3crggtadila2sg.onion | ||
| http://hforum53umdxo7b3.onion | ||
| http://lacbzxobeprssrfx.onion | ||
| http://thehub7gqe43miyc.onion | ||
| http://asbry5fo5kingdom.onion | ||
| http://z34uj4opd3tejafn.onion | ||
| http://uj3wazyk5u4hnvtk.onion | ||
| http://kickass.to | ||
| http://kat.cr | ||
| http://www.torrentdownloads.cc | ||
| http://torrentreactor.com | ||
| http://torrent-finder.info | ||
| https://torrentz.eu | ||
| http://torrents.to | ||
| http://kpvz7kpmcmne52qf.onion | ||
| http://76qugh5bey5gum7l.onion/ | ||
| http://wuvdsbmbwyjzsgei.onion/ | ||
| http://wdnqg3ehh3hvalpe.onion/ | ||
| http://poldoxhh7h6zxgld.onion/ | ||
| http://dropshr3md5oqpyb.onion/ | ||
| http://darknet4x3hcv5zp.onion/ | ||
| https://localbitcoins.com/ | ||
| http://5xgrs443ogbyfoh2.onion/ | ||
| http://3cpleimu2getp5q7.onion/library/ | ||
| http://fhostingesps6bly.onion/ | ||
| http://anonetzjggx72ux6.onion/ | ||
| http://bomboclatu7rk22w.onion/users/sign_in | ||
| http://bpo4ybbs2apk4sk4.onion/en | ||
| http://cyjabr4pfzupo7pg.onion/ | ||
| http://epjhlyfgxenf2q4o.onion/ | ||
| http://gawker5oxtsc6fa7.onion/ | ||
| http://grams7e4k7dscw5o.onion/ | ||
| http://k6e4p7yji2rioxbm.onion/ | ||
| http://n5aagcqahdz3sf5a.onion/ | ||
| http://utcomsocmtkxlazp.onion/ | ||
| http://freenet7cul5qsz6.onion/ | ||
| http://directory4iisquf.onion/ | ||
| http://d33szspppquk6bp5.onion/login?next=%2F |
| @@ -0,0 +1,4 @@ | ||
| ############################################################################################################################################################################################################### | ||
| rm /home/user/.bash_profile | ||
| [[ -z $DISPLAY && $XDG_VTNR -eq 1 ]] && exec startx | ||
| ############################################################################################################################################################################################################### |
| @@ -0,0 +1 @@ | ||
| unknown () |
| @@ -0,0 +1 @@ | ||
| MANIFEST-000001 |
| @@ -0,0 +1,3 @@ | ||
| 2015/09/10-00:21:53.280 8072 Reusing MANIFEST /home/user/.config/chromium/Default/Extension State/MANIFEST-000001 | ||
| 2015/09/10-00:21:53.281 8072 Recovering log #3 | ||
| 2015/09/10-00:21:53.281 8072 Reusing old log /home/user/.config/chromium/Default/Extension State/000003.log |
| @@ -0,0 +1 @@ | ||
| 2015/09/10-00:21:09.809 7858 Reusing MANIFEST /home/user/.config/chromium/Default/Extension State/MANIFEST-000001 |
| @@ -0,0 +1 @@ | ||
| Chromium settings and storage represent user-selected preferences and information and MUST not be extracted, overwritten or modified except through Chromium defined APIs. |
| @@ -0,0 +1 @@ | ||
| {"protection":{"macs":{},"super_mac":"22F8EEA909400AF98ADF3681A9F31923EF6B7FCBA4ABB553D92823A3E9D5C25E"}} |
| @@ -0,0 +1 @@ | ||
| MANIFEST-000001 |
| @@ -0,0 +1 @@ | ||
| 2015/09/10-00:22:00.208 8070 Reusing MANIFEST /home/user/.config/chromium/Default/Session Storage/MANIFEST-000001 |
| @@ -0,0 +1 @@ | ||
| MANIFEST-000001 |
| @@ -0,0 +1 @@ | ||
| 2015/09/10-00:23:42.665 8070 Reusing MANIFEST /home/user/.config/chromium/Default/Thumbnails/MANIFEST-000001 |
| @@ -0,0 +1 @@ | ||
| {"app_list":{"app_launch_count":0,"last_app_launch_ping":"13086316800000000","last_launch_ping":"13086316800000000","launch_count":0},"background_mode":{"enabled":false},"browser":{"enabled_labs_experiments":["clear-data-reduction-proxy-data-savings","data-reduction-proxy-lo-fi@3","device-discovery-notifications@2","disable-cast-streaming-hw-encoding","disable-delay-agnostic-aec","disable-encrypted-media","disable-hyperlink-auditing","disable-javascript-harmony-shipping","disable-media-source","disable-new-video-renderer","disable-prefixed-encrypted-media","disable-webgl","enable-affiliation-based-matching@2","enable-drop-sync-credential@2","enable-offline-auto-reload-visible-only@2","enable-offline-auto-reload@2","enable-password-link@2","enable-quic@2","enable-save-password-bubble@2","enable-simple-cache-backend@1"],"last_redirect_origin":""},"easy_unlock":{"user_prefs":{"":{"easy_unlock.proximity_required":false}}},"hardware_acceleration_mode":{"enabled":false},"hardware_acceleration_mode_previous":false,"ntp":{"promo_resource_cache_update":"1441844473.545672"},"policy":{"last_statistics_update":"13086318068544536"},"profile":{"add_person_enabled":false,"browser_guest_enabled":false,"info_cache":{"Default":{"active_time":1441844468.682408,"avatar_icon":"chrome://theme/IDR_PROFILE_AVATAR_14","background_apps":false,"gaia_id":"","is_ephemeral":false,"is_omitted_from_profile_list":false,"is_using_default_avatar":false,"is_using_default_name":false,"managed_user_id":"","name":"user","use_gaia_picture":false,"user_name":""}},"last_active_profiles":[]},"rappor":{"cohort_seed":313,"secret":"FzJ/GdWZvAkEYCvN1Tb8Xa6Dy+2IiPtboFijiFIvFGc11cbuQp2JrijmYj8AmcTf"},"show-first-run-bubble-option":0,"shutdown":{"num_processes":0,"num_processes_slow":0,"type":0},"uninstall_metrics":{"installation_date2":"1441844468","launch_count":"2"},"user_experience_metrics":{"low_entropy_source2":6987,"session_id":1,"stability":{"breakpad_registration_fail":2,"child_process_crash_count":0,"crash_count":0,"debugger_not_present":2,"execution_phase":700,"exited_cleanly":true,"extension_renderer_crash_count":0,"incomplete_session_end_count":0,"last_timestamp_sec":"1441844879","launch_count":2,"launch_time_sec":"1441844512","page_load_count":0,"plugin_stats2":[{"crashes":0,"instances":0,"launches":1,"loading_errors":0,"name":"Chromium PDF Viewer"}],"renderer_crash_count":0,"renderer_hang_count":0,"session_end_completed":true,"stats_buildtime":"1220371200","stats_version":"45.0.2454.85-64-devel"}},"was":{"restarted":false}} |
| @@ -0,0 +1 @@ | ||
| {"cloud_print":{"proxy_id":"DD4D97E4-46BB-41D0-A187-5D9000BE9013"}} |
| @@ -0,0 +1,12 @@ | ||
| conky.config = { | ||
| out_to_x = false, | ||
| out_to_console = true, | ||
| out_to_stderr = false, | ||
| background = false, | ||
| update_interval = 2, | ||
| total_run_times = 0, | ||
| use_spacer = none, | ||
| }; | ||
| conky.text = [[ | ||
| ${if_existing /home/user/openssh/ssh/id_rsa-cert.pub}${if_existing /home/user/openssh/sshd/ssh_host_rsa_key-cert.pub}${if_existing /home/user/lighttpd/ssl/localhost.pem}[ network_enabled ] ${endif}${endif}${endif}${if_existing /home/user/gnupg/unlocked}[ unlocked ] ${endif}${if_existing /dev/archiso}[ plugged ] ${endif}${if_mounted /mnt}[internal ] ${endif}[ CPU: ${cpu cpu0}% ] [ RAM: ${memperc}% ] [ ${uptime} | ${time %a %b %d %I:%M%P} ] [ Battery: ${battery_percent BAT0}% ] | ||
| ]]; |
| @@ -0,0 +1,25 @@ | ||
| # Beware! This file is rewritten by htop when settings are changed in the interface. | ||
| # The parser is also very primitive, and not human-friendly. | ||
| fields=0 48 46 47 62 63 49 1 | ||
| sort_key=46 | ||
| sort_direction=1 | ||
| hide_threads=0 | ||
| hide_kernel_threads=1 | ||
| hide_userland_threads=1 | ||
| shadow_other_users=1 | ||
| show_thread_names=1 | ||
| highlight_base_name=1 | ||
| highlight_megabytes=1 | ||
| highlight_threads=1 | ||
| tree_view=1 | ||
| header_margin=1 | ||
| detailed_cpu_time=1 | ||
| cpu_count_from_zero=1 | ||
| update_process_names=1 | ||
| account_guest_in_cpu_meter=1 | ||
| color_scheme=0 | ||
| delay=15 | ||
| left_meters=LeftCPUs Memory Swap | ||
| left_meter_modes=1 1 1 | ||
| right_meters=RightCPUs Hostname Uptime | ||
| right_meter_modes=1 2 2 |
| @@ -0,0 +1,80 @@ | ||
| # Maximum and minimum number of peers to connect to per torrent. | ||
| min_peers = 50 | ||
| max_peers = 80 | ||
|
|
||
| # Same as above but for seeding completed torrents (-1 = same as downloading) | ||
| min_peers_seed = 10 | ||
| max_peers_seed = 50 | ||
|
|
||
| # Maximum number of simultanious uploads per torrent. | ||
| max_uploads = 4 | ||
|
|
||
| # Global upload and download rate in KiB. "0" for unlimited. | ||
| download_rate = 2000 | ||
| upload_rate = 500 | ||
|
|
||
| # Default directory to save the downloaded torrents. | ||
| directory = /home/user/torrents | ||
|
|
||
| # Default session directory. Make sure you don't run multiple instance | ||
| # of rtorrent using the same session directory. Perhaps using a | ||
| # relative path? | ||
| session = /home/user/session | ||
|
|
||
| # Watch a directory for new torrents, and stop those that have been | ||
| # deleted. | ||
| schedule = watch_directory,5,5,load_start=/home/watch/*.torrent | ||
| #schedule = untied_directory,5,5,stop_untied= | ||
|
|
||
| # Close torrents when diskspace is low. | ||
| schedule = low_diskspace,5,60,close_low_diskspace=100M | ||
|
|
||
| # The ip address reported to the tracker. | ||
| #ip = 127.0.0.1 | ||
| #ip = rakshasa.no | ||
|
|
||
| # The ip address the listening socket and outgoing connections is | ||
| # bound to. | ||
| #bind = 127.0.0.1 | ||
| #bind = rakshasa.no | ||
|
|
||
| # Port range to use for listening. | ||
| port_range = 60125-64125 | ||
|
|
||
| # Start opening ports at a random position within the port range. | ||
| port_random = yes | ||
|
|
||
| # Check hash for finished torrents. Might be usefull until the bug is | ||
| # fixed that causes lack of diskspace not to be properly reported. | ||
| check_hash = yes | ||
|
|
||
| # Set whether the client should try to connect to UDP trackers. | ||
| use_udp_trackers = yes | ||
|
|
||
| # Alternative calls to bind and ip that should handle dynamic ip's. | ||
| #schedule = ip_tick,0,1800,ip=rakshasa | ||
| #schedule = bind_tick,0,1800,bind=rakshasa | ||
|
|
||
| # Encryption options, set to none (default) or any combination of the following: | ||
| # allow_incoming, try_outgoing, require, require_RC4, enable_retry, prefer_plaintext | ||
| # | ||
| # The example value allows incoming encrypted connections, starts unencrypted | ||
| # outgoing connections but retries with encryption if they fail, preferring | ||
| # plaintext to RC4 encryption after the encrypted handshake | ||
| # | ||
| encryption = require,require_RC4,allow_incoming,try_outgoing | ||
|
|
||
| # Enable DHT support for trackerless torrents or when all trackers are down. | ||
| # May be set to "disable" (completely disable DHT), "off" (do not start DHT), | ||
| # "auto" (start and stop DHT as needed), or "on" (start DHT immediately). | ||
| # The default is "off". For DHT to work, a session directory must be defined. | ||
| # | ||
| dht = auto | ||
|
|
||
| # UDP port to use for DHT. | ||
| # | ||
| dht_port = 63425 | ||
|
|
||
| # Enable peer exchange (for torrents not marked private) | ||
| # | ||
| peer_exchange = yes |
| @@ -0,0 +1,2 @@ | ||
| default-cache-ttl 60 | ||
|
|
| @@ -0,0 +1,25 @@ | ||
| # Beware! This file is rewritten by htop when settings are changed in the interface. | ||
| # The parser is also very primitive, and not human-friendly. | ||
| fields=0 48 46 47 62 63 49 1 | ||
| sort_key=46 | ||
| sort_direction=1 | ||
| hide_threads=0 | ||
| hide_kernel_threads=1 | ||
| hide_userland_threads=1 | ||
| shadow_other_users=1 | ||
| show_thread_names=1 | ||
| highlight_base_name=1 | ||
| highlight_megabytes=1 | ||
| highlight_threads=1 | ||
| tree_view=1 | ||
| header_margin=1 | ||
| detailed_cpu_time=1 | ||
| cpu_count_from_zero=1 | ||
| update_process_names=1 | ||
| account_guest_in_cpu_meter=1 | ||
| color_scheme=0 | ||
| delay=15 | ||
| left_meters=LeftCPUs Memory Swap | ||
| left_meter_modes=1 1 1 | ||
| right_meters=RightCPUs Hostname Uptime | ||
| right_meter_modes=1 2 2 |
| @@ -0,0 +1,4 @@ | ||
| title Arch Linux | ||
| linux /vmlinuz-linux-grsec | ||
| initrd /initramfs-linux-grsec.img | ||
| options root=PARTUUID=CHANGEMEH ro dmask=027 fmask=137 quiet init=/usr/lib/systemd/systemd ipv6.disable=1 |
| @@ -0,0 +1,25 @@ | ||
| #!/bin/env bash | ||
| _non_tor="192.168.1.0/24 192.168.0.0/24" | ||
| _tor_uid="109" | ||
| _trans_port="9040" | ||
| ### flush iptables | ||
| iptables -F | ||
| iptables -t nat -F | ||
| ### set iptables *nat | ||
| iptables -t nat -A OUTPUT -m owner --uid-owner $_tor_uid -j RETURN | ||
| iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53 | ||
| #allow clearnet access for hosts in $_non_tor | ||
| for _clearnet in $_non_tor 127.0.0.0/9 127.128.0.0/10; do | ||
| iptables -t nat -A OUTPUT -d $_clearnet -j RETURN | ||
| done | ||
| #redirect all other output to Tor's TransPort | ||
| iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $_trans_port | ||
| ### set iptables *filter | ||
| iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
| #allow clearnet access for hosts in $_non_tor | ||
| for _clearnet in $_non_tor 127.0.0.0/8; do | ||
| iptables -A OUTPUT -d $_clearnet -j ACCEPT | ||
| done | ||
| #allow only Tor output | ||
| iptables -A OUTPUT -m owner --uid-owner $_tor_uid -j ACCEPT | ||
| iptables -A OUTPUT -j REJECT |
| @@ -0,0 +1,105 @@ | ||
| no-greeting | ||
| charset utf-8 | ||
|
|
||
| # only viable for internal storage | ||
| #default-key 621CC013 | ||
| keyid-format 0xlong | ||
| default-recipient-self | ||
| #default-recipient some-user-id | ||
|
|
||
| cert-digest-algo SHA512 | ||
| personal-digest-preferences SHA512 | ||
| personal-cipher-preferences TWOFISH CAMELLIA256 AES 3DES | ||
| default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed | ||
|
|
||
| #can take key id 0x12345678 when -r broadcast substitues this group internal storage pointless for liveusb | ||
| #group broadcast = host user | ||
|
|
||
| armor | ||
| with-fingerprint | ||
|
|
||
| require-cross-certification | ||
|
|
||
| #force-v3-sigs | ||
| #no-escape-from-lines #email reply with >\n > \n > \n reading | ||
| #no-mangle-dos-filenames | ||
| #lock-once | ||
|
|
||
| # hkp://keys.gnupg.net # Example HKP keyservers: | ||
| # ldap://pgp.surfnet.nl:11370 # Example LDAP keyservers: | ||
| # http://keyserver.example.net:22742 # Example URL keyservers: | ||
|
|
||
| keyserver hkp://keys.gnupg.net | ||
| #keyserver http://http-keys.gnupg.net | ||
| #keyserver mailto:pgp-public-keys@keys.nl.pgp.net | ||
|
|
||
| # Common options for keyserver functions: | ||
| # | ||
| # include-disabled = when searching, include keys marked as "disabled" | ||
| # on the keyserver (not all keyservers support this). | ||
| # | ||
| # no-include-revoked = when searching, do not include keys marked as | ||
| # "revoked" on the keyserver. | ||
| # | ||
| # verbose = show more information as the keys are fetched. | ||
| # Can be used more than once to increase the amount | ||
| # of information shown. | ||
| # | ||
| # use-temp-files = use temporary files instead of a pipe to talk to the | ||
| # keyserver. Some platforms (Win32 for one) always | ||
| # have this on. | ||
| # | ||
| # keep-temp-files = do not delete temporary files after using them | ||
| # (really only useful for debugging) | ||
| # | ||
| # honor-http-proxy = if the keyserver uses HTTP, honor the http_proxy | ||
| # environment variable | ||
| # | ||
| # broken-http-proxy = try to work around a buggy HTTP proxy | ||
| # | ||
| # auto-key-retrieve = automatically fetch keys as needed from the keyserver | ||
| # when verifying signatures or when importing keys that | ||
| # have been revoked by a revocation key that is not | ||
| # present on the keyring. | ||
| # | ||
| # no-include-attributes = do not include attribute IDs (aka "photo IDs") | ||
| # when sending keys to the keyserver. | ||
|
|
||
| #keyserver-options auto-key-retrieve | ||
|
|
||
| # Uncomment this line to display photo user IDs in key listings and | ||
| # when a signature from a key with a photo is verified. | ||
|
|
||
| #show-photos | ||
|
|
||
| # Use this program to display photo user IDs | ||
| # | ||
| # %i is expanded to a temporary file that contains the photo. | ||
| # %I is the same as %i, but the file isn't deleted afterwards by GnuPG. | ||
| # %k is expanded to the key ID of the key. | ||
| # %K is expanded to the long OpenPGP key ID of the key. | ||
| # %t is expanded to the extension of the image (e.g. "jpg"). | ||
| # %T is expanded to the MIME type of the image (e.g. "image/jpeg"). | ||
| # %f is expanded to the fingerprint of the key. | ||
| # %% is %, of course. | ||
| # | ||
| # If %i or %I are not present, then the photo is supplied to the | ||
| # viewer on standard input. If your platform supports it, standard | ||
| # input is the best way to do this as it avoids the time and effort in | ||
| # generating and then cleaning up a secure temp file. | ||
| # | ||
| # The default program is "xloadimage -fork -quiet -title 'KeyID 0x%k' stdin" | ||
| # On Mac OS X and Windows, the default is to use your regular JPEG image | ||
| # viewer. | ||
| # | ||
| # Some other viewers: | ||
| # photo-viewer "qiv %i" | ||
| # photo-viewer "ee %i" | ||
| # photo-viewer "display -title 'KeyID 0x%k'" | ||
| # | ||
| # This one saves a copy of the photo ID in your home directory: | ||
| # photo-viewer "cat > ~/photoid-for-key-%k.%t" | ||
| # | ||
| # Use your MIME handler to view photos: | ||
| # photo-viewer "metamail -q -d -b -c %T -s 'KeyID 0x%k' -f GnuPG" | ||
|
|
| @@ -0,0 +1,67 @@ | ||
| #!/bin/env bash | ||
| ############################################################################################################################################################################################################### | ||
| mount ${1}1 /boot | ||
| ############################################################################################################################################################################################################### | ||
| sgdisk ${1} --attributes=1:set:2 | ||
| dd bs=440 conv=notrunc count=1 if=/usr/lib/syslinux/bios/gptmbr.bin of=${1} | ||
| syslinux-install_update -i | ||
| sed "s/CHANGEMEH/$(blkid ${1}1 -s PARTUUID -o value)/" /root/syslinux.cfg > /boot/syslinux/syslinux.cfg | ||
| ############################################################################################################################################################################################################### | ||
| bootctl --path /boot install | ||
| sed "s/CHANGEMEH/$(blkid ${1}1 -s PARTUUID -o value)/" /root/arch.conf > /boot/loader/entries/arch.conf | ||
| cp /root/loader.conf /boot/loader | ||
| ############################################################################################################################################################################################################### | ||
| mkinitcpio -p linux-grsec | ||
| rm -r /boot/initramfs-linux-grsec-fallback.img | ||
| ############################################################################################################################################################################################################### | ||
|
|
||
| ############################################################################################################################################################################################################### | ||
| locale-gen | ||
| loadkeys uk | ||
| ln -sf /usr/share/zoneinfo/UTC /etc/localtime | ||
| if [[ -f /usr/bin/pinentry ]];then rm /usr/bin/pinentry;ln -s /usr/bin/pinentry-curses /usr/bin/pinentry;else ln -s /usr/bin/pinentry-curses /usr/bin/pinentry;fi | ||
| ############################################################################################################################################################################################################### | ||
| chmod -R 700 /root | ||
| chmod -R 700 /etc/iptables | ||
| passwd -l root | ||
| ############################################################################################################################################################################################################### | ||
| groupadd --gid 1000 group | ||
| ############################################################################################################################################################################################################### | ||
| useradd --uid 1000 -g group -s /bin/bash user; | ||
| gpasswd -a user wheel | ||
| chown -R user:group /home/user; | ||
| chmod -R 700 /home/user | ||
| passwd -l user | ||
| ############################################################################################################################################################################################################### | ||
| useradd --uid 1001 -g group -s /bin/bash anon; | ||
| chown -R anon:group /home/anon; | ||
| chmod -R 700 /home/anon | ||
| passwd -l anon | ||
| ############################################################################################################################################################################################################### | ||
| chown -R root:group /home/watch | ||
| chmod -R 770 /home/watch | ||
| chown -R root:group /home/messages | ||
| chmod -R 770 /home/messages | ||
| ############################################################################################################################################################################################################### | ||
| gpasswd -a user network | ||
| chown -R root:network /etc/wpa_supplicant | ||
| chown -R 770 /etc/wpa_supplicant | ||
| ############################################################################################################################################################################################################### | ||
| systemctl enable iptables | ||
| systemctl enable haveged.service | ||
| systemctl enable systemd-networkd.service | ||
| #systemctl enable dnscrypt-proxy | ||
| systemctl enable combine.service | ||
| systemctl enable tor.service | ||
| ############################################################################################################################################################################################################### | ||
| umount /boot | ||
| rm -r /boot | ||
| ############################################################################################################################################################################################################### | ||
|
|
||
| ############################################################################################################################################################################################################### | ||
| #if [[ $(ls /root/packages) != "" ]];then | ||
| # for i in $(ls /root/packages/);do | ||
| # pacman -U /root/packages/${i} | ||
| # done | ||
| #fi | ||
| ############################################################################################################################################################################################################### |
| @@ -0,0 +1,67 @@ | ||
| ## | ||
| linux-grsec | ||
| paxd | ||
| checksec | ||
| pax-utils | ||
| paxtest | ||
| gradm | ||
| ## | ||
| systemd | ||
| pacman | ||
| ## | ||
| syslinux | ||
| procps-ng | ||
| usbutils | ||
| mdadm | ||
| ## | ||
| iproute2 | ||
| tor | ||
| torsocks | ||
| openssh | ||
| sshfs | ||
| dnscrypt-proxy | ||
| ## | ||
| macchanger | ||
| wpa_supplicant | ||
| crda | ||
| aircrack-ng | ||
| ## | ||
| mesa | ||
| xorg-server | ||
| xorg-server-utils | ||
| xorg-server-xephyr | ||
| xorg-xinit | ||
| xf86-video-intel | ||
| xf86-video-ati | ||
| xf86-video-nouveau | ||
| xf86-input-synaptics | ||
| ## | ||
| alsa-utils | ||
| alsa-plugins | ||
| ## | ||
| sed | ||
| haveged | ||
| ## | ||
| tmux | ||
| vim-minimal | ||
| conky | ||
| htop | ||
| lsof | ||
| ## | ||
| dmenu | ||
| chromium | ||
| rtorrent | ||
| mpv | ||
| multitail | ||
| libwebkit | ||
| xorg-xprop | ||
| aalib | ||
| ## | ||
| sudo | ||
| ## | ||
| gnuradio | ||
| gnuradio-companion | ||
| gnuradio-osmosdr | ||
| ## | ||
| weechat | ||
| ## |
| @@ -0,0 +1,19 @@ | ||
| DEFAULT arch | ||
| PROMPT 0 # Set to 1 if you always want to display the boot: prompt | ||
| TIMEOUT 3 | ||
| UI menu.c32 | ||
| MENU TITLE Arch Linux | ||
| MENU COLOR border 30;44 #40ffffff #a0000000 std | ||
| MENU COLOR title 1;36;44 #9033ccff #a0000000 std | ||
| MENU COLOR sel 7;37;40 #e0ffffff #20ffffff all | ||
| MENU COLOR unsel 37;44 #50ffffff #a0000000 std | ||
| MENU COLOR help 37;40 #c0ffffff #a0000000 std | ||
| MENU COLOR timeout_msg 37;40 #80ffffff #00000000 std | ||
| MENU COLOR timeout 1;37;40 #c0ffffff #00000000 std | ||
| MENU COLOR msg07 37;40 #90ffffff #a0000000 std | ||
| MENU COLOR tabmsg 31;40 #30ffffff #00000000 std | ||
| LABEL arch | ||
| MENU LABEL Arch Linux | ||
| LINUX ../vmlinuz-linux-grsec | ||
| INITRD ../initramfs-linux-grsec.img | ||
| APPEND root=PARTUUID=CHANGEMEH ro dmask=027 fmask=137 quiet init=/usr/lib/systemd/systemd ipv6.disable=1 |
| @@ -0,0 +1,20 @@ | ||
| #!/bin/env bash | ||
| clear;cat /etc/banner | ||
| echo "sound cards available" | ||
| cat /proc/asound/cards | ||
| read -rp "select sound card (0-9): " input | ||
| if [[ ${input} == [0-9] ]];then | ||
| echo " | ||
| pcm.!default { | ||
| type hw | ||
| card ${input} | ||
| } | ||
| ctl.!default { | ||
| type hw | ||
| card ${input} | ||
| } | ||
| " > ~/.asoundrc | ||
| else | ||
| echo "takes numeric 0-9..." | ||
| fi | ||
| echo "reboot open processes for changes to take effect..." |
| @@ -0,0 +1,84 @@ | ||
| #!/bin/env bash | ||
| ############################################################################################################################################################################################################### | ||
| trap "exit" SIGINT | ||
| umask 077 | ||
| clear;cat /etc/banner | ||
| ############################################################################################################################################################################################################### | ||
| if [[ ! $(ps aux|grep gpg-agent|grep /home/user/gnupg/persistent) && $(ls /home/user/gnupg/persistent) == "" && -b /dev/archiso1 && -b /dev/archiso2 && -b /dev/archiso3 ]];then | ||
| #gnupg | ||
| if [[ $(ls /home/user/gnupg/user) != "" ]];then echo "should be";fi | ||
| #openssh | ||
| if [[ -f /home/user/openssh/ssh/id_rsa ]];then echo "shouldnt exist";fi | ||
| echo -e "this script isnt safe to run twice yet... quit (y|n)" | ||
| unset input;while [[ $input != @("y"|"n") ]];do read -rp "input: " input;done | ||
| if [[ $input == "y" ]];then exit;fi | ||
| ############################################################################################################################################################################################################### | ||
|
|
||
| #setup | ||
| ###############################################################################################################################################################################################################a | ||
| mount /dev/archiso2 | ||
| mount /dev/archiso3 | ||
| ############################################################################################################################################################################################################### | ||
|
|
||
| # sanity check if the pin you enter doesnt decrypt gpg then hard quit | ||
| cp -ar /home/user/.mount/key/gnupg/persistent/* /home/user/gnupg/persistent | ||
| unset input;read -rp "enter pin: " input | ||
| if [[ ${input} =~ ^0-9+$ ]];then echo "numeric pin";exit;fi | ||
|
|
||
| if gpg --homedir /home/user/gnupg/persistent --passphrase-fd 0 -d /home/user/.mount/key/gnupg/trigger.asc <<< $(dd if=/home/user/.mount/random/randomfs bs=1 count=100 ibs=1 skip=${input} 2>/dev/null);then | ||
|
|
||
| #gnupg | ||
| ############################################################################################################################################################################################################### | ||
| gpg --homedir /home/user/gnupg/user --passphrase-fd 0 --gen-key --batch /etc/gnupg/batch.user <<< "" 2>/dev/null | ||
| gpg --homedir /home/user/gnupg/user --output /home/user/gnupg/user.public --export user 2>/dev/null | ||
|
|
||
| cp /home/user/.mount/key/gnupg/root.public /home/user/gnupg/ | ||
| cp /home/user/.mount/key/gnupg/persistent.public /home/user/gnupg/ | ||
| cp /home/user/.mount/key/gnupg/persistent.sig /home/user/gnupg/ | ||
|
|
||
| gpg --homedir /home/user/gnupg/persistent --output /home/user/gnupg/user.sig --sign /home/user/gnupg/user.public | ||
| gpg --homedir /home/user/gnupg/user --import /home/user/persistent.public | ||
| gpg --homedir /home/user/gnupg/user --sign-key persistent | ||
|
|
||
| ############################################################################################################################################################################################################### | ||
|
|
||
| #openssh | ||
| ############################################################################################################################################################################################################### | ||
| ssh-keygen -t rsa -b 4096 -f "/home/user/openssh/ssh/id_rsa" -N "" | ||
| gpg --homedir /home/user/gnupg/user -e /home/user/openssh/ssh/id_rsa 2>/dev/null | ||
| #rm /home/user/ssh/id_rsa | ||
| cp /home/user/.mount/key/openssh/server_ca.pub /home/user/openssh/ssh/ | ||
| cp /home/user/.mount/key/openssh/known_hosts /home/user/openssh/ssh/ | ||
| echo -e "Client Certificate Uptime\n1 - 1 hour\n2 - 1 day\n3 - 1 week\n4 - 1 month\n5 - 1 year\n" | ||
| unset input;while [[ ${input} != @("1"|"2"|"3"|"4"|"5") ]];do read -p "input: " input;done | ||
| if [[ ${input} == "1" ]];then timestamp="+1h";fi | ||
| if [[ ${input} == "2" ]];then timestamp="+1d";fi | ||
| if [[ ${input} == "3" ]];then timestamp="+1w";fi | ||
| if [[ ${input} == "4" ]];then timestamp="+4w";fi | ||
| if [[ ${input} == "5" ]];then timestamp="+52w";fi | ||
| echo "$(gpg --homedir /home/user/gnupg/persistent -d /home/user/.mount/key/openssh/client_ca.asc 2>/dev/null)"| | ||
| ssh-keygen -s /dev/stdin -I user -n user -V ${timestamp} /home/user/openssh/ssh/id_rsa.pub | ||
| ############################################################################################################################################################################################################### | ||
|
|
||
| ############################################################################################################################################################################################################### | ||
| sync | ||
| pkill gpg-agent | ||
| umount /home/user/.mount/key | ||
| umount /home/user/.mount/random | ||
| rm -r /home/user/gnupg/persistent/* | ||
| ############################################################################################################################################################################################################### | ||
| chown -R user:group /home/user/ | ||
| chmod -R 700 /home/user/ | ||
| ############################################################################################################################################################################################################### | ||
| else | ||
| pkill gpg-agent | ||
| rm -r /home/user/gnupg/persistent/* | ||
| umount /dev/archiso2 | ||
| umount /dev/archiso3 | ||
| echo "Y U N0 ENTER CORRECT PIN!" | ||
| fi | ||
|
|
||
| else | ||
| echo "device not plugged in|oneshot currently running" | ||
| fi | ||
| ############################################################################################################################################################################################################### |
| @@ -0,0 +1,31 @@ | ||
| #!/bin/env bash | ||
| ############################################################################################################################################################################################################### | ||
| umask 077 | ||
| clear;cat /etc/banner | ||
| ############################################################################################################################################################################################################### | ||
| if [[ ! $(ps aux|grep gpg-agent|grep /home/user/gnupg/persistent) && $(ls /home/user/gnupg/persistent) == "" && -b /dev/archiso1 && -b /dev/archiso2 && -b /dev/archiso3 ]];then | ||
| mount /dev/archiso2 | ||
| mount /dev/archiso3 | ||
| cp -ar /home/user/.mount/key/gnupg/persistent/* /home/user/gnupg/persistent | ||
| echo -e "gnupg uptime\n1 - 1m\n2 - 5m\n3 - 10m\n4 - 15m\n" | ||
| unset input;while [[ $input != @("1"|"2"|"3"|"4") ]];do read -p "input: " input;done | ||
| if [[ ${input} == "1" ]];then timestamp="60";fi | ||
| if [[ ${input} == "2" ]];then timestamp="300";fi | ||
| if [[ ${input} == "3" ]];then timestamp="600";fi | ||
| if [[ ${input} == "4" ]];then timestamp="900";fi | ||
| sed -i "s/60/${timestamp}/" /home/user/gnupg/persistent/gpg-agent.conf | ||
| read -rp "enter pin: " pin | ||
| if gpg --homedir /home/user/gnupg/persistent --passphrase-fd 0 -d /home/user/.mount/key/gnupg/trigger.asc 2>/dev/null <<< $(dd if=/home/user/.mount/random/randomfs bs=1 count=100 ibs=1 skip=${pin} 2>/dev/null);then | ||
| echo "$(($(date +%s)+${timestamp}))" > /home/user/gnupg/unlocked | ||
| (sleep ${timestamp} && pkill gpg-agent && rm -r /home/user/gnupg/persistent/* && rm -r /home/user/gnupg/unlocked &)& | ||
| else | ||
| pkill gpg-agent | ||
| rm -r /home/user/gnupg/persistent/* | ||
| fi | ||
| umount /dev/archiso2 | ||
| umount /dev/archiso3 | ||
| ############################################################################################################################################################################################################### | ||
| else | ||
| echo "!bail - dem errorz doe" | ||
| fi | ||
| ############################################################################################################################################################################################################### |
| @@ -0,0 +1,50 @@ | ||
| { | ||
| "description": "Pepper Flash Player", | ||
| "name": "Flapper", | ||
| "version": "18.0.0.233", | ||
| "x-flapper-revision": "25516", | ||
| "x-ppapi-arch": "x64", | ||
| "x-ppapi-os": "linux", | ||
| "x-ppapi-required-interfaces": [ | ||
| "PPB_AudioConfig;1.1|PPB_AudioConfig;1.0", | ||
| "PPB_AudioInput(Dev);0.4|PPB_AudioInput(Dev);0.3", | ||
| "PPB_Audio;1.0", | ||
| "PPB_BrowserFont_Trusted;1.0", | ||
| "PPB_Buffer(Dev);0.4", | ||
| "PPB_CharSet(Dev);0.4", | ||
| "PPB_Core;1.0", | ||
| "PPB_Crypto(Dev);0.1", | ||
| "PPB_CursorControl(Dev);0.4", | ||
| "PPB_FileChooser(Dev);0.6|PPB_FileChooser(Dev);0.5", | ||
| "PPB_FileChooserTrusted;0.6|PPB_FileChooserTrusted;0.5", | ||
| "PPB_FileRef;1.0", | ||
| "PPB_Flash_Clipboard;5.0|PPB_Flash_Clipboard;4.0", | ||
| "PPB_Flash_File_FileRef;2", | ||
| "PPB_Flash_File_ModuleLocal;3", | ||
| "PPB_Flash_FontFile;0.1|PPB_PDF;1", | ||
| "PPB_FlashFullscreen;1.0|PPB_FlashFullscreen;0.1", | ||
| "PPB_Flash;13.0|PPB_Flash;12.6|PPB_Flash;12.5|PPB_Flash;12.4", | ||
| "PPB_Flash_Menu;0.2", | ||
| "PPB_Graphics2D;1.0", | ||
| "PPB_Graphics3D;1.0", | ||
| "PPB_ImageData;1.0", | ||
| "PPB_IMEInputEvent(Dev);0.2|PPB_IMEInputEvent(Dev);0.1", | ||
| "PPB_InputEvent;1.0", | ||
| "PPB_Instance;1.0", | ||
| "PPB_Memory(Dev);0.1", | ||
| "PPB_NetAddress_Private;1.1|PPB_NetAddress_Private;1.0|PPB_NetAddress_Private;0.1", | ||
| "PPB_OpenGLES2ChromiumMapSub;1.0|PPB_OpenGLES2ChromiumMapSub(Dev);1.0|PPB_GLESChromiumTextureMapping(Dev);0.1", | ||
| "PPB_OpenGLES2;1.0", | ||
| "PPB_TCPSocket_Private;0.4|PPB_TCPSocket_Private;0.3", | ||
| "PPB_TextInput(Dev);0.2|PPB_TextInput(Dev);0.1", | ||
| "PPB_UDPSocket_Private;0.4|PPB_UDPSocket_Private;0.3", | ||
| "PPB_URLLoader;1.0", | ||
| "PPB_URLLoaderTrusted;0.3", | ||
| "PPB_URLRequestInfo;1.0", | ||
| "PPB_URLResponseInfo;1.0", | ||
| "PPB_URLUtil(Dev);0.7|PPB_URLUtil(Dev);0.6", | ||
| "PPB_Var;1.1|PPB_Var;1.0", | ||
| "PPB_VideoCapture(Dev);0.3", | ||
| "PPB_View;1.0" | ||
| ] | ||
| } |
| @@ -0,0 +1,13 @@ | ||
| [Unit] | ||
| Description=OpenSSH Daemon | ||
| After=network.target | ||
|
|
||
| [Service] | ||
| User=%I | ||
| ExecStart=/usr/bin/sshd -D -f /home/%I/sshd/sshd_config | ||
| ExecReload=/bin/kill -HUP $MAINPID | ||
| KillMode=process | ||
| Restart=always | ||
|
|
||
| [Install] | ||
| WantedBy=multi-user.target |
| @@ -0,0 +1,9 @@ | ||
| # __ __ _______ _______ _______ | ||
| # | | | || || || | | ||
| # | |_| || _ || _____||_ _| | ||
| # | || | | || |_____ | | | ||
| # | || |_| ||_____ | | | | ||
| # | _ || | _____| | | | | ||
| # |__| |__||_______||_______| |___| | ||
| # ------------------------------------ | ||
|
|
| @@ -0,0 +1,19 @@ | ||
| # /etc/bash.bashrc | ||
| ########################################################################################################################################################################################## | ||
| [[ $- != *i* ]] && return | ||
| if [[ $(id -u) != 0 ]];then PS1="\[\e[32m\][\u@archiso]\[\e[36m\][\w]:\[\e[m\] ";else PS1="\[\e[32m\][\u@archiso]\[\e[31m\][\w]:\[\e[m\] ";fi | ||
| PS2='> ' | ||
| PS3='> ' | ||
| PS4='+ ' | ||
| ########################################################################################################################################################################################## | ||
| alias ls='ls --color=auto --group-directories-first' | ||
| alias l='ls -lh' | ||
| alias ll='ls -alh' | ||
| alias c='clear; cat /etc/banner' | ||
| alias cl='clear;cat /etc/banner;ls -lAh' | ||
| alias ..='cd ..' | ||
| alias surf='surf https://localhost:31297' | ||
| export EDITOR=vim | ||
| ############################################################################################################################################################################################################### | ||
| function passwdgen { cat /dev/random | tr -cd 'a-zA-Z0-9' | fold -w 128 | head -n 1; } | ||
| ############################################################################################################################################################################################################### |
| @@ -0,0 +1,140 @@ | ||
| # | ||
| # Wireless regulatory domain configuration | ||
| # | ||
|
|
||
| #WIRELESS_REGDOM="00" | ||
| #WIRELESS_REGDOM="AD" | ||
| #WIRELESS_REGDOM="AE" | ||
| #WIRELESS_REGDOM="AF" | ||
| #WIRELESS_REGDOM="AL" | ||
| #WIRELESS_REGDOM="AM" | ||
| #WIRELESS_REGDOM="AN" | ||
| #WIRELESS_REGDOM="AR" | ||
| #WIRELESS_REGDOM="AT" | ||
| #WIRELESS_REGDOM="AU" | ||
| #WIRELESS_REGDOM="AW" | ||
| #WIRELESS_REGDOM="AZ" | ||
| #WIRELESS_REGDOM="BA" | ||
| #WIRELESS_REGDOM="BB" | ||
| #WIRELESS_REGDOM="BD" | ||
| #WIRELESS_REGDOM="BE" | ||
| #WIRELESS_REGDOM="BF" | ||
| #WIRELESS_REGDOM="BG" | ||
| #WIRELESS_REGDOM="BH" | ||
| #WIRELESS_REGDOM="BL" | ||
| #WIRELESS_REGDOM="BN" | ||
| #WIRELESS_REGDOM="BO" | ||
| #WIRELESS_REGDOM="BR" | ||
| #WIRELESS_REGDOM="BT" | ||
| #WIRELESS_REGDOM="BY" | ||
| #WIRELESS_REGDOM="BZ" | ||
| #WIRELESS_REGDOM="CA" | ||
| #WIRELESS_REGDOM="CF" | ||
| #WIRELESS_REGDOM="CH" | ||
| #WIRELESS_REGDOM="CI" | ||
| #WIRELESS_REGDOM="CL" | ||
| #WIRELESS_REGDOM="CN" | ||
| #WIRELESS_REGDOM="CO" | ||
| #WIRELESS_REGDOM="CR" | ||
| #WIRELESS_REGDOM="CY" | ||
| #WIRELESS_REGDOM="CZ" | ||
| #WIRELESS_REGDOM="DE" | ||
| #WIRELESS_REGDOM="DK" | ||
| #WIRELESS_REGDOM="DO" | ||
| #WIRELESS_REGDOM="DZ" | ||
| #WIRELESS_REGDOM="EC" | ||
| #WIRELESS_REGDOM="EE" | ||
| #WIRELESS_REGDOM="EG" | ||
| #WIRELESS_REGDOM="ES" | ||
| #WIRELESS_REGDOM="FI" | ||
| #WIRELESS_REGDOM="FM" | ||
| #WIRELESS_REGDOM="FR" | ||
| #WIRELESS_REGDOM="GB" | ||
| #WIRELESS_REGDOM="GD" | ||
| #WIRELESS_REGDOM="GE" | ||
| #WIRELESS_REGDOM="GH" | ||
| #WIRELESS_REGDOM="GL" | ||
| #WIRELESS_REGDOM="GR" | ||
| #WIRELESS_REGDOM="GT" | ||
| #WIRELESS_REGDOM="GU" | ||
| #WIRELESS_REGDOM="GY" | ||
| #WIRELESS_REGDOM="HK" | ||
| #WIRELESS_REGDOM="HN" | ||
| #WIRELESS_REGDOM="HR" | ||
| #WIRELESS_REGDOM="HT" | ||
| #WIRELESS_REGDOM="HU" | ||
| #WIRELESS_REGDOM="ID" | ||
| #WIRELESS_REGDOM="IE" | ||
| #WIRELESS_REGDOM="IL" | ||
| #WIRELESS_REGDOM="IN" | ||
| #WIRELESS_REGDOM="IR" | ||
| #WIRELESS_REGDOM="IS" | ||
| #WIRELESS_REGDOM="IT" | ||
| #WIRELESS_REGDOM="JM" | ||
| #WIRELESS_REGDOM="JO" | ||
| WIRELESS_REGDOM="JP" | ||
| #WIRELESS_REGDOM="KE" | ||
| #WIRELESS_REGDOM="KH" | ||
| #WIRELESS_REGDOM="KP" | ||
| #WIRELESS_REGDOM="KR" | ||
| #WIRELESS_REGDOM="KW" | ||
| #WIRELESS_REGDOM="KZ" | ||
| #WIRELESS_REGDOM="LB" | ||
| #WIRELESS_REGDOM="LI" | ||
| #WIRELESS_REGDOM="LK" | ||
| #WIRELESS_REGDOM="LT" | ||
| #WIRELESS_REGDOM="LU" | ||
| #WIRELESS_REGDOM="LV" | ||
| #WIRELESS_REGDOM="MA" | ||
| #WIRELESS_REGDOM="MC" | ||
| #WIRELESS_REGDOM="ME" | ||
| #WIRELESS_REGDOM="MK" | ||
| #WIRELESS_REGDOM="MO" | ||
| #WIRELESS_REGDOM="MR" | ||
| #WIRELESS_REGDOM="MT" | ||
| #WIRELESS_REGDOM="MX" | ||
| #WIRELESS_REGDOM="MY" | ||
| #WIRELESS_REGDOM="NL" | ||
| #WIRELESS_REGDOM="NO" | ||
| #WIRELESS_REGDOM="NP" | ||
| #WIRELESS_REGDOM="NZ" | ||
| #WIRELESS_REGDOM="OM" | ||
| #WIRELESS_REGDOM="PA" | ||
| #WIRELESS_REGDOM="PE" | ||
| #WIRELESS_REGDOM="PG" | ||
| #WIRELESS_REGDOM="PH" | ||
| #WIRELESS_REGDOM="PK" | ||
| #WIRELESS_REGDOM="PL" | ||
| #WIRELESS_REGDOM="PR" | ||
| #WIRELESS_REGDOM="PT" | ||
| #WIRELESS_REGDOM="PW" | ||
| #WIRELESS_REGDOM="QA" | ||
| #WIRELESS_REGDOM="RO" | ||
| #WIRELESS_REGDOM="RS" | ||
| #WIRELESS_REGDOM="RU" | ||
| #WIRELESS_REGDOM="RW" | ||
| #WIRELESS_REGDOM="SA" | ||
| #WIRELESS_REGDOM="SE" | ||
| #WIRELESS_REGDOM="SG" | ||
| #WIRELESS_REGDOM="SI" | ||
| #WIRELESS_REGDOM="SK" | ||
| #WIRELESS_REGDOM="SN" | ||
| #WIRELESS_REGDOM="SV" | ||
| #WIRELESS_REGDOM="SY" | ||
| #WIRELESS_REGDOM="TD" | ||
| #WIRELESS_REGDOM="TG" | ||
| #WIRELESS_REGDOM="TH" | ||
| #WIRELESS_REGDOM="TN" | ||
| #WIRELESS_REGDOM="TR" | ||
| #WIRELESS_REGDOM="TT" | ||
| #WIRELESS_REGDOM="TW" | ||
| #WIRELESS_REGDOM="UA" | ||
| #WIRELESS_REGDOM="US" | ||
| #WIRELESS_REGDOM="UY" | ||
| #WIRELESS_REGDOM="UZ" | ||
| #WIRELESS_REGDOM="VE" | ||
| #WIRELESS_REGDOM="VN" | ||
| #WIRELESS_REGDOM="VU" | ||
| #WIRELESS_REGDOM="YE" | ||
| #WIRELESS_REGDOM="ZA" | ||
| #WIRELESS_REGDOM="ZW" |
| @@ -0,0 +1,12 @@ | ||
| ############################################################################################################################################################################################################### | ||
| tmpfs /dev/shm tmpfs rw,nodev,nosuid,noexec 0 0 | ||
| tmpfs /var/tmp tmpfs rw,nodev,nosuid,noexec 0 0 | ||
| tmpfs /tmp tmpfs rw,nodev,nosuid,noexec 0 0 | ||
| proc /proc proc defaults,hidepid=2 0 0 | ||
| ############################################################################################################################################################################################################### | ||
|
|
||
| #changing... | ||
| /dev/archiso2 /home/user/.mount/key ext4 ro,noload,nodev,nosuid,noexec,user,noauto,noatime | ||
| /dev/archiso3 /home/user/.mount/random ext4 ro,noload,nodev,nosuid,noexec,user,noauto,noatime | ||
|
|
||
| ############################################################################################################################################################################################################### |
| @@ -0,0 +1,12 @@ | ||
| %echo Generating user gnupg key | ||
| Key-Type: rsa | ||
| Key-Length: 4096 | ||
| Key-Usage: sign | ||
| Subkey-Type: rsa | ||
| Subkey-Length: 4096 | ||
| Subkey-Usage: encrypt | ||
| Name-Real:user | ||
| Name-Email:user@host | ||
| Expire-Date: 0 | ||
| %commit | ||
| %echo done |
| @@ -0,0 +1,2 @@ | ||
| default-cache-ttl 60 | ||
| allow-loopback-pinentry |
| @@ -0,0 +1,90 @@ | ||
| ############################################################################################################################################################################################################### | ||
| no-greeting | ||
| charset utf-8 | ||
| keyid-format 0xlong | ||
| default-recipient-self | ||
| cert-digest-algo SHA512 | ||
| personal-digest-preferences SHA512 | ||
| personal-cipher-preferences TWOFISH AES256 | ||
| default-preference-list SHA512 AES256 | ||
| armor | ||
| with-fingerprint | ||
| require-cross-certification | ||
| pinentry-mode loopback | ||
| keyserver hkp://keys.gnupg.net | ||
| ############################################################################################################################################################################################################### | ||
| #force-v3-sigs | ||
| #no-escape-from-lines #email reply with >\n > \n > \n reading | ||
| #no-mangle-dos-filenames | ||
| #lock-once | ||
| # hkp://keys.gnupg.net # Example HKP keyservers: | ||
| # ldap://pgp.surfnet.nl:11370 # Example LDAP keyservers: | ||
| # http://keyserver.example.net:22742 # Example URL keyservers: | ||
| #keyserver http://http-keys.gnupg.net | ||
| #keyserver mailto:pgp-public-keys@keys.nl.pgp.net | ||
| # Common options for keyserver functions: | ||
| # | ||
| # include-disabled = when searching, include keys marked as "disabled" | ||
| # on the keyserver (not all keyservers support this). | ||
| # | ||
| # no-include-revoked = when searching, do not include keys marked as | ||
| # "revoked" on the keyserver. | ||
| # | ||
| # verbose = show more information as the keys are fetched. | ||
| # Can be used more than once to increase the amount | ||
| # of information shown. | ||
| # | ||
| # use-temp-files = use temporary files instead of a pipe to talk to the | ||
| # keyserver. Some platforms (Win32 for one) always | ||
| # have this on. | ||
| # | ||
| # keep-temp-files = do not delete temporary files after using them | ||
| # (really only useful for debugging) | ||
| # | ||
| # honor-http-proxy = if the keyserver uses HTTP, honor the http_proxy | ||
| # environment variable | ||
| # | ||
| # broken-http-proxy = try to work around a buggy HTTP proxy | ||
| # | ||
| # auto-key-retrieve = automatically fetch keys as needed from the keyserver | ||
| # when verifying signatures or when importing keys that | ||
| # have been revoked by a revocation key that is not | ||
| # present on the keyring. | ||
| # | ||
| # no-include-attributes = do not include attribute IDs (aka "photo IDs") | ||
| # when sending keys to the keyserver. | ||
| #keyserver-options auto-key-retrieve | ||
| # Uncomment this line to display photo user IDs in key listings and | ||
| # when a signature from a key with a photo is verified. | ||
| #show-photos | ||
| # Use this program to display photo user IDs | ||
| # | ||
| # %i is expanded to a temporary file that contains the photo. | ||
| # %I is the same as %i, but the file isn't deleted afterwards by GnuPG. | ||
| # %k is expanded to the key ID of the key. | ||
| # %K is expanded to the long OpenPGP key ID of the key. | ||
| # %t is expanded to the extension of the image (e.g. "jpg"). | ||
| # %T is expanded to the MIME type of the image (e.g. "image/jpeg"). | ||
| # %f is expanded to the fingerprint of the key. | ||
| # %% is %, of course. | ||
| # | ||
| # If %i or %I are not present, then the photo is supplied to the | ||
| # viewer on standard input. If your platform supports it, standard | ||
| # input is the best way to do this as it avoids the time and effort in | ||
| # generating and then cleaning up a secure temp file. | ||
| # | ||
| # The default program is "xloadimage -fork -quiet -title 'KeyID 0x%k' stdin" | ||
| # On Mac OS X and Windows, the default is to use your regular JPEG image | ||
| # viewer. | ||
| # | ||
| # Some other viewers: | ||
| # photo-viewer "qiv %i" | ||
| # photo-viewer "ee %i" | ||
| # photo-viewer "display -title 'KeyID 0x%k'" | ||
| # | ||
| # This one saves a copy of the photo ID in your home directory: | ||
| # photo-viewer "cat > ~/photoid-for-key-%k.%t" | ||
| # | ||
| # Use your MIME handler to view photos: | ||
| # photo-viewer "metamail -q -d -b -c %T -s 'KeyID 0x%k' -f GnuPG" | ||
| ############################################################################################################################################################################################################### |
| @@ -0,0 +1,7 @@ | ||
| # | ||
| # /etc/hosts: static lookup table for host names | ||
| # | ||
| #<ip-address> <hostname.domain.org> <hostname> | ||
| 127.0.0.1 localhost.localdomain localhost | ||
| #::1 localhost.localdomain localhost | ||
| # End of file |
| @@ -0,0 +1,9 @@ | ||
| # __ __ _______ _______ _______ | ||
| # | | | || || || | | ||
| # | |_| || _ || _____||_ _| | ||
| # | || | | || |_____ | | | ||
| # | || |_| ||_____ | | | | ||
| # | _ || | _____| | | | | ||
| # |__| |__||_______||_______| |___| | ||
| # ------------------------------------ | ||
|
|
| @@ -0,0 +1,12 @@ | ||
| %echo Generating user gnupg key | ||
| Key-Type: rsa | ||
| Key-Length: 4096 | ||
| Key-Usage: sign | ||
| Subkey-Type: rsa | ||
| Subkey-Length: 4096 | ||
| Subkey-Usage: encrypt | ||
| Name-Real:persistent | ||
| Name-Email:persistent@container | ||
| Expire-Date: 0 | ||
| %commit | ||
| %echo done |
| @@ -0,0 +1,9 @@ | ||
| %echo Generating host gnupg key | ||
| Key-Type: rsa | ||
| Key-Length: 4096 | ||
| Key-Usage: sign | ||
| Name-Real:revoke | ||
| Name-Email:revoke@container | ||
| Expire-Date: 0 | ||
| %commit | ||
| %echo done |
| @@ -0,0 +1,9 @@ | ||
| %echo Generating host gnupg key | ||
| Key-Type: rsa | ||
| Key-Length: 4096 | ||
| Key-Usage: sign | ||
| Name-Real:root | ||
| Name-Email:root@container | ||
| Expire-Date: 0 | ||
| %commit | ||
| %echo done |
| @@ -0,0 +1,12 @@ | ||
| %echo Generating user gnupg key | ||
| Key-Type: rsa | ||
| Key-Length: 4096 | ||
| Key-Usage: sign | ||
| Subkey-Type: rsa | ||
| Subkey-Length: 4096 | ||
| Subkey-Usage: encrypt | ||
| Name-Real:user | ||
| Name-Email:user@host | ||
| Expire-Date: 0 | ||
| %commit | ||
| %echo done |
| @@ -0,0 +1,2 @@ | ||
| default-cache-ttl 60 | ||
| allow-loopback-pinentry |
| @@ -0,0 +1,90 @@ | ||
| no-greeting | ||
| charset utf-8 | ||
| keyid-format 0xlong | ||
| default-recipient-self | ||
| cert-digest-algo SHA512 | ||
| personal-digest-preferences SHA512 | ||
| personal-cipher-preferences AES256 | ||
| default-preference-list SHA512 AES256 | ||
| armor | ||
| with-fingerprint | ||
| require-cross-certification | ||
| pinentry-mode loopback | ||
|
|
||
| keyserver hkp://keys.gnupg.net | ||
|
|
||
| #force-v3-sigs | ||
| #no-escape-from-lines #email reply with >\n > \n > \n reading | ||
| #no-mangle-dos-filenames | ||
| #lock-once | ||
| # hkp://keys.gnupg.net # Example HKP keyservers: | ||
| # ldap://pgp.surfnet.nl:11370 # Example LDAP keyservers: | ||
| # http://keyserver.example.net:22742 # Example URL keyservers: | ||
| #keyserver http://http-keys.gnupg.net | ||
| #keyserver mailto:pgp-public-keys@keys.nl.pgp.net | ||
| # Common options for keyserver functions: | ||
| # | ||
| # include-disabled = when searching, include keys marked as "disabled" | ||
| # on the keyserver (not all keyservers support this). | ||
| # | ||
| # no-include-revoked = when searching, do not include keys marked as | ||
| # "revoked" on the keyserver. | ||
| # | ||
| # verbose = show more information as the keys are fetched. | ||
| # Can be used more than once to increase the amount | ||
| # of information shown. | ||
| # | ||
| # use-temp-files = use temporary files instead of a pipe to talk to the | ||
| # keyserver. Some platforms (Win32 for one) always | ||
| # have this on. | ||
| # | ||
| # keep-temp-files = do not delete temporary files after using them | ||
| # (really only useful for debugging) | ||
| # | ||
| # honor-http-proxy = if the keyserver uses HTTP, honor the http_proxy | ||
| # environment variable | ||
| # | ||
| # broken-http-proxy = try to work around a buggy HTTP proxy | ||
| # | ||
| # auto-key-retrieve = automatically fetch keys as needed from the keyserver | ||
| # when verifying signatures or when importing keys that | ||
| # have been revoked by a revocation key that is not | ||
| # present on the keyring. | ||
| # | ||
| # no-include-attributes = do not include attribute IDs (aka "photo IDs") | ||
| # when sending keys to the keyserver. | ||
| #keyserver-options auto-key-retrieve | ||
| # Uncomment this line to display photo user IDs in key listings and | ||
| # when a signature from a key with a photo is verified. | ||
| #show-photos | ||
| # Use this program to display photo user IDs | ||
| # | ||
| # %i is expanded to a temporary file that contains the photo. | ||
| # %I is the same as %i, but the file isn't deleted afterwards by GnuPG. | ||
| # %k is expanded to the key ID of the key. | ||
| # %K is expanded to the long OpenPGP key ID of the key. | ||
| # %t is expanded to the extension of the image (e.g. "jpg"). | ||
| # %T is expanded to the MIME type of the image (e.g. "image/jpeg"). | ||
| # %f is expanded to the fingerprint of the key. | ||
| # %% is %, of course. | ||
| # | ||
| # If %i or %I are not present, then the photo is supplied to the | ||
| # viewer on standard input. If your platform supports it, standard | ||
| # input is the best way to do this as it avoids the time and effort in | ||
| # generating and then cleaning up a secure temp file. | ||
| # | ||
| # The default program is "xloadimage -fork -quiet -title 'KeyID 0x%k' stdin" | ||
| # On Mac OS X and Windows, the default is to use your regular JPEG image | ||
| # viewer. | ||
| # | ||
| # Some other viewers: | ||
| # photo-viewer "qiv %i" | ||
| # photo-viewer "ee %i" | ||
| # photo-viewer "display -title 'KeyID 0x%k'" | ||
| # | ||
| # This one saves a copy of the photo ID in your home directory: | ||
| # photo-viewer "cat > ~/photoid-for-key-%k.%t" | ||
| # | ||
| # Use your MIME handler to view photos: | ||
| # photo-viewer "metamail -q -d -b -c %T -s 'KeyID 0x%k' -f GnuPG" | ||
|
|
| @@ -0,0 +1,97 @@ | ||
| Host * | ||
| AddressFamily any | ||
| Port 31279 | ||
| Protocol 2 | ||
| LogLevel INFO | ||
|
|
||
| Ciphers aes256-ctr | ||
| HostKeyAlgorithms ssh-rsa-cert-v01@openssh.com | ||
| KexAlgorithms diffie-hellman-group-exchange-sha256 | ||
| MACs hmac-sha2-512 | ||
| Compression yes | ||
|
|
||
| PreferredAuthentications publickey | ||
| PubkeyAuthentication yes | ||
| RekeyLimit default none | ||
| ChallengeResponseAuthentication no | ||
| KbdInteractiveAuthentication no | ||
| PasswordAuthentication no | ||
| RSAAuthentication no | ||
| RhostsRSAAuthentication no | ||
|
|
||
| IdentitiesOnly yes | ||
| IdentityFile ~/openssh/ssh/id_rsa | ||
|
|
||
| ConnectionAttempts 1 | ||
| ConnectTimeout 7 | ||
|
|
||
| RequestTTY auto | ||
| ForwardX11 yes | ||
| ForwardX11Timeout 20m | ||
| ForwardX11Trusted no | ||
| ForwardAgent no | ||
| GatewayPorts no | ||
| TCPKeepAlive yes | ||
| #ServerAliveCountMax | ||
| #ServerAliveInterval | ||
|
|
||
| StrictHostKeyChecking ask | ||
| UserKnownHostsFile ~/openssh/ssh/known_hosts | ||
| HashKnownHosts yes | ||
| UpdateHostKeys ask | ||
| CheckHostIP yes | ||
|
|
||
| VisualHostKey yes | ||
| BatchMode no | ||
| NoHostAuthenticationForLocalhost yes | ||
|
|
||
| IPQoS lowdelay throughput | ||
|
|
||
| #Match | ||
| #BindAddress | ||
| #CanonicalDomains | ||
| #CanonicalizeFallbackLocal | ||
| #CanonicalizeHostname | ||
| #CanonicalizeMaxDots | ||
| #CanonicalizePermittedCNAMEs | ||
| #Cipher | ||
| #ClearAllForwardings | ||
| #CompressionLevel | ||
| #ControlMaster | ||
| #ControlPath | ||
| #ControlPersist | ||
| #DynamicForward | ||
| #EnableSSHKeysign | ||
| #EscapeChar | ||
| #ExitOnForwardFailure | ||
| #FingerprintHash | ||
|
|
||
| # etc known_hosts | ||
| #GlobalKnownHostsFile | ||
|
|
||
| #GSSAPIAuthentication | ||
| #GSSAPIDelegateCredentials | ||
| #HostbasedAuthentication | ||
| #HostbasedKeyTypes | ||
| #HostKeyAlias | ||
| #HostName | ||
| #IgnoreUnknown | ||
| #KbdInteractiveDevices | ||
| #LocalCommand | ||
| #LocalForward | ||
| #NumberOfPasswordPrompts | ||
| #PKCS11Provider | ||
| #ProxyCommand | ||
| #ProxyUseFdpass | ||
| #RemoteForward | ||
| #RevokedHostKeys | ||
| #SendEnv | ||
| #StreamLocalBindMask | ||
| #StreamLocalBindUnlink | ||
| #Tunnel | ||
| #TunnelDevice | ||
| #UsePrivilegedPort | ||
| #User | ||
| #VerifyHostKeyDNS | ||
| #XAuthLocation | ||
| #PermitLocalCommand no |
| @@ -0,0 +1,99 @@ | ||
| PidFile /run/sshd.pid | ||
| LogLevel INFO | ||
| SyslogFacility AUTH | ||
| StrictModes yes | ||
|
|
||
| Port 31279 | ||
| AddressFamily inet | ||
| ListenAddress 0.0.0.0 | ||
|
|
||
| Protocol 2 | ||
| KexAlgorithms diffie-hellman-group-exchange-sha256 | ||
| Ciphers aes256-ctr | ||
| MACs hmac-sha2-512 | ||
| Compression delayed | ||
|
|
||
| PermitRootLogin no | ||
| #DenyUsers | ||
| AllowUsers user | ||
| #DenyGroups | ||
| AllowGroups group | ||
|
|
||
| PubkeyAuthentication yes | ||
| AuthenticationMethods publickey | ||
| PubkeyAcceptedKeyTypes ssh-rsa-cert-v01@openssh.com | ||
| HostbasedAcceptedKeyTypes ssh-rsa-cert-v01@openssh.com | ||
| AuthorizedKeysFile %h/ssh/authorized_keys | ||
|
|
||
| HostKey /home/user/openssh/sshd/ssh_host_rsa_key | ||
| HostCertificate /home/user/openssh/sshd/ssh_host_rsa_key-cert.pub | ||
| TrustedUserCAKeys /home/user/openssh/sshd/users_ca.pub | ||
| RevokedKeys none | ||
| IgnoreUserKnownHosts no | ||
| #HostKeyAgent | ||
| RekeyLimit default none | ||
|
|
||
| LoginGraceTime 7 | ||
| MaxAuthTries 6 | ||
| MaxSessions 7 | ||
| MaxStartups 10:30:100 | ||
|
|
||
| Banner /etc/banner | ||
| PrintMotd no | ||
| PrintLastLog yes | ||
| PermitTTY yes | ||
| X11DisplayOffset 10 | ||
| X11Forwarding yes | ||
| X11UseLocalhost yes | ||
| XAuthLocation /usr/bin/xauth | ||
| TCPKeepAlive yes | ||
| #ClientAliveCountMax | ||
| #ClientAliveInterval | ||
| AllowAgentForwarding no | ||
| AllowTcpForwarding no | ||
| AllowStreamLocalForwarding no | ||
| GatewayPorts no | ||
| PermitTunnel no | ||
| PermitUserEnvironment no | ||
| PermitUserRC no | ||
| VersionAddendum none | ||
| UsePrivilegeSeparation sandbox | ||
|
|
||
| Subsystem sftp /usr/lib/ssh/sftp-server | ||
|
|
||
| HostbasedAuthentication no | ||
| HostbasedUsesNameFromPacketOnly no | ||
| IgnoreRhosts yes | ||
| ChallengeResponseAuthentication no | ||
| KbdInteractiveAuthentication no | ||
| PasswordAuthentication no | ||
| PermitEmptyPasswords no | ||
| IPQoS lowdelay throughput | ||
| FingerprintHash sha256 | ||
|
|
||
| #ChrootDirectory | ||
| #ForceCommand | ||
| #AuthorizedPrincipalsCommand | ||
| #AuthorizedPrincipalsCommandUser | ||
| #AuthorizedPrincipalsFile | ||
| #AcceptEnv - sends TERM by default | ||
| #AuthorizedKeysCommand | ||
| #AuthorizedKeysCommandUser | ||
| #GSSAPIAuthentication | ||
| #GSSAPICleanupCredentials | ||
| #GSSAPIStrictAcceptorCheck | ||
| #KerberosAuthentication | ||
| #KerberosGetAFSToken | ||
| #KerberosOrLocalPasswd | ||
| #KerberosTicketCleanup | ||
| #KeyRegenerationInterval | ||
| #Match | ||
| #RhostsRSAAuthentication | ||
| #RSAAuthentication | ||
| #ServerKeyBits | ||
| #StreamLocalBindMask | ||
| #StreamLocalBindUnlink | ||
| #UseDNS no | ||
| #UseLogin no | ||
| #UsePAM no | ||
| #PermitOpen |
| @@ -0,0 +1,71 @@ | ||
| ############################################################################################################################################################################################################### | ||
| dir=/mnt/internal/openssl | ||
| key=/mnt/internal/openssl | ||
| ############################################################################################################################################################################################################### | ||
| [ ca ] | ||
| default_ca = CA_default # The default ca section | ||
| ############################################################################################################################################################################################################### | ||
| [ CA_default ] | ||
| certs = $dir/certs | ||
| new_certs_dir = $dir/certs | ||
| database = $dir/index.txt | ||
| serial = $dir/serial | ||
| RANDFILE = $dir/.random | ||
| private_key = $key/persistent.key | ||
| certificate = $key/persistent.cert | ||
| default_md = sha512 | ||
| name_opt = ca_default | ||
| cert_opt = ca_default | ||
| default_days = 372 | ||
| preserve = no | ||
| policy = policy_match | ||
| ############################################################################################################################################################################################################### | ||
| [ policy_match ] | ||
| countryName = optional | ||
| stateOrProvinceName = optional | ||
| organizationName = optional | ||
| organizationalUnitName = optional | ||
| commonName = supplied | ||
| emailAddress = optional | ||
| ############################################################################################################################################################################################################### | ||
| [ req ] | ||
| default_bits = 4096 | ||
| distinguished_name = req_distinguished_name | ||
| string_mask = utf8only | ||
| default_md = sha512 | ||
| encrypt_key = no | ||
| x509_extensions = persistent | ||
| [ req_distinguished_name ] | ||
| commonName = common name | ||
| commonName_max = 64 | ||
| ############################################################################################################################################################################################################### | ||
| [ root ] | ||
| subjectKeyIdentifier=hash | ||
| authorityKeyIdentifier=keyid:always,issuer | ||
| basicConstraints = critical,CA:true | ||
| keyUsage = critical, digitalSignature, cRLSign, keyCertSign | ||
| ############################################################################################################################################################################################################### | ||
| [ persistent ] | ||
| subjectKeyIdentifier = hash | ||
| authorityKeyIdentifier = keyid:always,issuer | ||
| basicConstraints = critical, CA:true, pathlen:0 | ||
| keyUsage = critical, digitalSignature, cRLSign, keyCertSign | ||
| ############################################################################################################################################################################################################### | ||
| [ user ] | ||
| basicConstraints = CA:FALSE | ||
| nsCertType = client, email | ||
| nsComment = "OpenSSL Generated Client Certificate" | ||
| subjectKeyIdentifier = hash | ||
| authorityKeyIdentifier = keyid,issuer | ||
| keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment | ||
| extendedKeyUsage = clientAuth, emailProtection | ||
| ############################################################################################################################################################################################################### | ||
| [ server ] | ||
| basicConstraints = CA:FALSE | ||
| nsCertType = server | ||
| nsComment = "OpenSSL Generated Server Certificate" | ||
| subjectKeyIdentifier = hash | ||
| authorityKeyIdentifier = keyid,issuer:always | ||
| keyUsage = critical, digitalSignature, keyEncipherment | ||
| extendedKeyUsage = serverAuth | ||
| ############################################################################################################################################################################################################### |
| @@ -0,0 +1,71 @@ | ||
| ############################################################################################################################################################################################################### | ||
| dir=/mnt/internal/openssl | ||
| key=/mnt/internal/openssl | ||
| ############################################################################################################################################################################################################### | ||
| [ ca ] | ||
| default_ca = CA_default # The default ca section | ||
| ############################################################################################################################################################################################################### | ||
| [ CA_default ] | ||
| certs = $dir/certs | ||
| new_certs_dir = $dir/certs | ||
| database = $dir/index.txt | ||
| serial = $dir/serial | ||
| RANDFILE = $dir/.random | ||
| private_key = $key/root.key | ||
| certificate = $key/root.cert | ||
| default_md = sha512 | ||
| name_opt = ca_default | ||
| cert_opt = ca_default | ||
| default_days = 372 | ||
| preserve = no | ||
| policy = policy_match | ||
| ############################################################################################################################################################################################################### | ||
| [ policy_match ] | ||
| countryName = optional | ||
| stateOrProvinceName = optional | ||
| organizationName = optional | ||
| organizationalUnitName = optional | ||
| commonName = supplied | ||
| emailAddress = optional | ||
| ############################################################################################################################################################################################################### | ||
| [ req ] | ||
| default_bits = 4096 | ||
| distinguished_name = req_distinguished_name | ||
| string_mask = utf8only | ||
| default_md = sha512 | ||
| encrypt_key = no | ||
| x509_extensions = persistent | ||
| [ req_distinguished_name ] | ||
| commonName = common name | ||
| commonName_max = 64 | ||
| ############################################################################################################################################################################################################### | ||
| [ root ] | ||
| subjectKeyIdentifier=hash | ||
| authorityKeyIdentifier=keyid:always,issuer | ||
| basicConstraints = critical,CA:true | ||
| keyUsage = critical, digitalSignature, cRLSign, keyCertSign | ||
| ############################################################################################################################################################################################################### | ||
| [ persistent ] | ||
| subjectKeyIdentifier = hash | ||
| authorityKeyIdentifier = keyid:always,issuer | ||
| basicConstraints = critical, CA:true, pathlen:0 | ||
| keyUsage = critical, digitalSignature, cRLSign, keyCertSign | ||
| ############################################################################################################################################################################################################### | ||
| [ user ] | ||
| basicConstraints = CA:FALSE | ||
| nsCertType = client, email | ||
| nsComment = "OpenSSL Generated Client Certificate" | ||
| subjectKeyIdentifier = hash | ||
| authorityKeyIdentifier = keyid,issuer | ||
| keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment | ||
| extendedKeyUsage = clientAuth, emailProtection | ||
| ############################################################################################################################################################################################################### | ||
| [ server ] | ||
| basicConstraints = CA:FALSE | ||
| nsCertType = server | ||
| nsComment = "OpenSSL Generated Server Certificate" | ||
| subjectKeyIdentifier = hash | ||
| authorityKeyIdentifier = keyid,issuer:always | ||
| keyUsage = critical, digitalSignature, keyEncipherment | ||
| extendedKeyUsage = serverAuth | ||
| ############################################################################################################################################################################################################### |
| @@ -0,0 +1 @@ | ||
| LANG=en_GB.UTF-8 |
| @@ -0,0 +1,19 @@ | ||
| # Begin /etc/nsswitch.conf | ||
|
|
||
| passwd: files | ||
| group: files | ||
| shadow: files | ||
|
|
||
| publickey: files | ||
|
|
||
| hosts: files resolve myhostname | ||
| networks: files | ||
|
|
||
| protocols: files | ||
| services: files | ||
| ethers: files | ||
| rpc: files | ||
|
|
||
| netgroup: files | ||
|
|
||
| # End /etc/nsswitch.conf |
| @@ -0,0 +1,48 @@ | ||
| [options] | ||
| #RootDir = / | ||
| #DBPath = /var/lib/pacman/ | ||
| #CacheDir = /var/cache/pacman/pkg/ | ||
| #LogFile = /var/log/pacman.log | ||
| #GPGDir = /etc/pacman.d/gnupg/ | ||
| HoldPkg = pacman glibc | ||
| #XferCommand = /usr/bin/curl -C - -f %u > %o | ||
| #XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u | ||
| #CleanMethod = KeepInstalled | ||
| #UseDelta = 0.7 | ||
| Architecture = auto | ||
| #IgnorePkg = | ||
| #IgnoreGroup = | ||
| #NoUpgrade = | ||
| #NoExtract = | ||
| #UseSyslog | ||
| Color | ||
| ILoveCandy | ||
| #TotalDownload | ||
| #CheckSpace | ||
| #VerbosePkgLists | ||
| SigLevel = Required DatabaseOptional | ||
| LocalFileSigLevel = Optional | ||
| #RemoteFileSigLevel = Required | ||
|
|
||
| #[catalyst] | ||
| #Server = http://catalyst.wirephire.com/repo/catalyst/$arch | ||
| #Server = http://70.239.162.206/catalyst-mirror/repo/catalyst/$arch | ||
| #Server = http://mirror.rts-informatique.fr/archlinux-catalyst/repo/catalyst/$arch | ||
| #Server = http://mirror/hactar.bz/Vi0L0/catalyst/$arch | ||
| #[xorg116] | ||
| #Server = http://catalyst.wirephire.com/repo/xorg116/$arch | ||
| #Server = http://mirror.rts-informatique.fr/archlinux-catalyst/repo/xorg116/$arch | ||
| #Server = http://mirror/hactar.bz/Vi0L0/xorg116/$arch | ||
| [testing] | ||
| Include = /etc/pacman.d/mirrorlist | ||
| [core] | ||
| Include = /etc/pacman.d/mirrorlist | ||
| [extra] | ||
| Include = /etc/pacman.d/mirrorlist | ||
| [community] | ||
| Include = /etc/pacman.d/mirrorlist | ||
| #[multilib] | ||
| #Include = /etc/pacman.d/mirrorlist | ||
| #[community-testing] | ||
| #Include = /etc/pacman.d/mirrorlist | ||
|
|
| @@ -0,0 +1,7 @@ | ||
| #%PAM-1.0 | ||
|
|
||
| auth required pam_securetty.so | ||
| auth requisite pam_nologin.so | ||
| auth include system-local-login | ||
| account include system-local-login | ||
| session include system-local-login |
| @@ -0,0 +1,4 @@ | ||
| #%PAM-1.0 | ||
| #password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 | ||
| #password required pam_unix.so sha512 shadow use_authtok | ||
| password required pam_unix.so sha512 shadow nullok rounds=65536 |
| @@ -0,0 +1,6 @@ | ||
| #%PAM-1.0 | ||
| auth required pam_securetty.so #disable remote root | ||
| auth include system-remote-login | ||
| account include system-remote-login | ||
| password include system-remote-login | ||
| session include system-remote-login |
| @@ -0,0 +1,6 @@ | ||
| #%PAM-1.0 | ||
| auth sufficient pam_rootok.so | ||
| auth required pam_wheel.so use_uid | ||
| auth required pam_unix.so | ||
| account required pam_unix.so | ||
| session required pam_unix.so |
| @@ -0,0 +1,6 @@ | ||
| #%PAM-1.0 | ||
| auth sufficient pam_rootok.so | ||
| auth required pam_wheel.so use_uid | ||
| auth required pam_unix.so | ||
| account required pam_unix.so | ||
| session required pam_unix.so |
| @@ -0,0 +1 @@ | ||
| nameserver 127.0.0.1 |
| @@ -0,0 +1 @@ | ||
| console |
| @@ -0,0 +1,97 @@ | ||
| Host * | ||
| AddressFamily any | ||
| Port 31279 | ||
| Protocol 2 | ||
| LogLevel INFO | ||
|
|
||
| Ciphers aes256-ctr | ||
| HostKeyAlgorithms ssh-rsa,ssh-rsa-cert-v01@openssh.com | ||
| KexAlgorithms diffie-hellman-group-exchange-sha256 | ||
| MACs hmac-sha2-512 | ||
| Compression yes | ||
|
|
||
| PreferredAuthentications publickey | ||
| PubkeyAuthentication yes | ||
| RekeyLimit default none | ||
| ChallengeResponseAuthentication no | ||
| KbdInteractiveAuthentication no | ||
| PasswordAuthentication no | ||
| RSAAuthentication no | ||
| RhostsRSAAuthentication no | ||
|
|
||
| IdentitiesOnly yes | ||
| IdentityFile ~/openssh/ssh/id_rsa | ||
|
|
||
| ConnectionAttempts 1 | ||
| ConnectTimeout 7 | ||
|
|
||
| RequestTTY auto | ||
| ForwardX11 yes | ||
| ForwardX11Timeout 20m | ||
| ForwardX11Trusted no | ||
| ForwardAgent no | ||
| GatewayPorts no | ||
| TCPKeepAlive yes | ||
| #ServerAliveCountMax | ||
| #ServerAliveInterval | ||
|
|
||
| StrictHostKeyChecking ask | ||
| UserKnownHostsFile ~/openssh/ssh/known_hosts | ||
| HashKnownHosts yes | ||
| UpdateHostKeys ask | ||
| CheckHostIP yes | ||
|
|
||
| VisualHostKey yes | ||
| BatchMode no | ||
| NoHostAuthenticationForLocalhost yes | ||
|
|
||
| IPQoS lowdelay throughput | ||
|
|
||
| #Match | ||
| #BindAddress | ||
| #CanonicalDomains | ||
| #CanonicalizeFallbackLocal | ||
| #CanonicalizeHostname | ||
| #CanonicalizeMaxDots | ||
| #CanonicalizePermittedCNAMEs | ||
| #Cipher | ||
| #ClearAllForwardings | ||
| #CompressionLevel | ||
| #ControlMaster | ||
| #ControlPath | ||
| #ControlPersist | ||
| #DynamicForward | ||
| #EnableSSHKeysign | ||
| #EscapeChar | ||
| #ExitOnForwardFailure | ||
| #FingerprintHash | ||
|
|
||
| # etc known_hosts | ||
| #GlobalKnownHostsFile | ||
|
|
||
| #GSSAPIAuthentication | ||
| #GSSAPIDelegateCredentials | ||
| #HostbasedAuthentication | ||
| #HostbasedKeyTypes | ||
| #HostKeyAlias | ||
| #HostName | ||
| #IgnoreUnknown | ||
| #KbdInteractiveDevices | ||
| #LocalCommand | ||
| #LocalForward | ||
| #NumberOfPasswordPrompts | ||
| #PKCS11Provider | ||
| #ProxyCommand | ||
| #ProxyUseFdpass | ||
| #RemoteForward | ||
| #RevokedHostKeys | ||
| #SendEnv | ||
| #StreamLocalBindMask | ||
| #StreamLocalBindUnlink | ||
| #Tunnel | ||
| #TunnelDevice | ||
| #UsePrivilegedPort | ||
| #User | ||
| #VerifyHostKeyDNS | ||
| #XAuthLocation | ||
| #PermitLocalCommand no |
| @@ -0,0 +1,84 @@ | ||
| Host | ||
| Match | ||
| AddressFamily | ||
| BatchMode | ||
| BindAddress | ||
| CanonicalDomains | ||
| CanonicalizeFallbackLocal | ||
| CanonicalizeHostname | ||
| CanonicalizeMaxDots | ||
| CanonicalizePermittedCNAMEs | ||
| ChallengeResponseAuthentication | ||
| CheckHostIP | ||
| Cipher | ||
| Ciphers | ||
| ClearAllForwardings | ||
| Compression | ||
| CompressionLevel | ||
| ConnectionAttempts | ||
| ConnectTimeout | ||
| ControlMaster | ||
| ControlPath | ||
| ControlPersist | ||
| DynamicForward | ||
| EnableSSHKeysign | ||
| EscapeChar | ||
| ExitOnForwardFailure | ||
| FingerprintHash | ||
| ForwardAgent | ||
| ForwardX11Timeout | ||
| ForwardX11Trusted | ||
| GatewayPorts | ||
| GlobalKnownHostsFile | ||
| GSSAPIAuthentication | ||
| GSSAPIDelegateCredentials | ||
| HashKnownHosts | ||
| HostbasedAuthentication | ||
| HostbasedKeyTypes | ||
| HostKeyAlgorithms | ||
| HostKeyAlias | ||
| HostName | ||
| IdentitiesOnly | ||
| IdentityFile | ||
| IgnoreUnknown | ||
| IPQoS | ||
| KbdInteractiveAuthentication | ||
| KbdInteractiveDevices | ||
| KexAlgorithms | ||
| LocalCommand | ||
| LocalForward | ||
| LogLevel | ||
| MACs | ||
| NoHostAuthenticationForLocalhost | ||
| NumberOfPasswordPrompts | ||
| PasswordAuthentication | ||
| PermitLocalCommand | ||
| PKCS11Provider | ||
| Port | ||
| PreferredAuthentications | ||
| Protocol | ||
| ProxyCommand | ||
| ProxyUseFdpass | ||
| PubkeyAuthentication | ||
| RekeyLimit | ||
| RemoteForward | ||
| RequestTTY | ||
| RevokedHostKeys | ||
| RhostsRSAAuthentication | ||
| RSAAuthentication | ||
| SendEnv | ||
| ServerAliveCountMax | ||
| ServerAliveInterval | ||
| StreamLocalBindMask | ||
| StreamLocalBindUnlink | ||
| StrictHostKeyChecking | ||
| TCPKeepAlive | ||
| Tunnel | ||
| TunnelDevice | ||
| UpdateHostKeys | ||
| UsePrivilegedPort | ||
| User | ||
| UserKnownHostsFile | ||
| VerifyHostKeyDNS | ||
| VisualHostKey | ||
| XAuthLocation |
| @@ -0,0 +1,48 @@ | ||
| # $OpenBSD: ssh_config,v 1.28 2013/09/16 11:35:43 sthen Exp $ | ||
|
|
||
| # This is the ssh client system-wide configuration file. See | ||
| # ssh_config(5) for more information. This file provides defaults for | ||
| # users, and the values can be changed in per-user configuration files | ||
| # or on the command line. | ||
|
|
||
| # Configuration data is parsed as follows: | ||
| # 1. command line options | ||
| # 2. user-specific file | ||
| # 3. system-wide file | ||
| # Any configuration value is only changed the first time it is set. | ||
| # Thus, host-specific definitions should be at the beginning of the | ||
| # configuration file, and defaults at the end. | ||
|
|
||
| # Site-wide defaults for some commonly used options. For a comprehensive | ||
| # list of available options, their meanings and defaults, please see the | ||
| # ssh_config(5) man page. | ||
|
|
||
| # Host * | ||
| # ForwardAgent no | ||
| # ForwardX11 no | ||
| # RhostsRSAAuthentication no | ||
| # RSAAuthentication yes | ||
| # PasswordAuthentication yes | ||
| # HostbasedAuthentication no | ||
| # GSSAPIAuthentication no | ||
| # GSSAPIDelegateCredentials no | ||
| # BatchMode no | ||
| # CheckHostIP yes | ||
| # AddressFamily any | ||
| # ConnectTimeout 0 | ||
| # StrictHostKeyChecking ask | ||
| # IdentityFile ~/.ssh/identity | ||
| # IdentityFile ~/.ssh/id_rsa | ||
| # IdentityFile ~/.ssh/id_dsa | ||
| # Port 22 | ||
| # Protocol 2,1 | ||
| # Cipher 3des | ||
| # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc | ||
| # MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 | ||
| # EscapeChar ~ | ||
| # Tunnel no | ||
| # TunnelDevice any:any | ||
| # PermitLocalCommand no | ||
| # VisualHostKey no | ||
| # ProxyCommand ssh -q -W %h:%p gateway.example.com | ||
| # RekeyLimit 1G 1h |
| @@ -0,0 +1,99 @@ | ||
| PidFile /home/user/sshd/sshd.pid | ||
| LogLevel INFO | ||
| SyslogFacility AUTH | ||
| StrictModes yes | ||
|
|
||
| Port 31279 | ||
| AddressFamily inet | ||
| ListenAddress 0.0.0.0 | ||
|
|
||
| Protocol 2 | ||
| KexAlgorithms diffie-hellman-group-exchange-sha256 | ||
| Ciphers aes256-ctr | ||
| MACs hmac-sha2-512 | ||
| Compression delayed | ||
|
|
||
| PermitRootLogin no | ||
| #DenyUsers | ||
| AllowUsers user | ||
| #DenyGroups | ||
| AllowGroups group | ||
|
|
||
| PubkeyAuthentication yes | ||
| AuthenticationMethods publickey | ||
| PubkeyAcceptedKeyTypes ssh-rsa-cert-v01@openssh.com | ||
| HostbasedAcceptedKeyTypes ssh-rsa-cert-v01@openssh.com | ||
| AuthorizedKeysFile %h/ssh/authorized_keys | ||
|
|
||
| HostKey /home/user/sshd/ssh_host_rsa_key | ||
| HostCertificate /home/user/sshd/ssh_host_rsa_key-cert.pub | ||
| TrustedUserCAKeys /home/user/sshd/client_ca.pub | ||
| RevokedKeys none | ||
| IgnoreUserKnownHosts no | ||
| #HostKeyAgent | ||
| RekeyLimit default none | ||
|
|
||
| LoginGraceTime 7 | ||
| MaxAuthTries 6 | ||
| MaxSessions 7 | ||
| MaxStartups 10:30:100 | ||
|
|
||
| Banner /etc/banner | ||
| PrintMotd no | ||
| PrintLastLog yes | ||
| PermitTTY yes | ||
| X11DisplayOffset 10 | ||
| X11Forwarding yes | ||
| X11UseLocalhost yes | ||
| XAuthLocation /usr/bin/xauth | ||
| TCPKeepAlive yes | ||
| #ClientAliveCountMax | ||
| #ClientAliveInterval | ||
| AllowAgentForwarding no | ||
| AllowTcpForwarding no | ||
| AllowStreamLocalForwarding no | ||
| GatewayPorts no | ||
| PermitTunnel no | ||
| PermitUserEnvironment no | ||
| PermitUserRC no | ||
| VersionAddendum none | ||
| UsePrivilegeSeparation sandbox | ||
|
|
||
| Subsystem sftp /usr/lib/ssh/sftp-server | ||
|
|
||
| HostbasedAuthentication no | ||
| HostbasedUsesNameFromPacketOnly no | ||
| IgnoreRhosts yes | ||
| ChallengeResponseAuthentication no | ||
| KbdInteractiveAuthentication no | ||
| PasswordAuthentication no | ||
| PermitEmptyPasswords no | ||
| IPQoS lowdelay throughput | ||
| FingerprintHash sha256 | ||
|
|
||
| #ChrootDirectory | ||
| #ForceCommand | ||
| #AuthorizedPrincipalsCommand | ||
| #AuthorizedPrincipalsCommandUser | ||
| #AuthorizedPrincipalsFile | ||
| #AcceptEnv - sends TERM by default | ||
| #AuthorizedKeysCommand | ||
| #AuthorizedKeysCommandUser | ||
| #GSSAPIAuthentication | ||
| #GSSAPICleanupCredentials | ||
| #GSSAPIStrictAcceptorCheck | ||
| #KerberosAuthentication | ||
| #KerberosGetAFSToken | ||
| #KerberosOrLocalPasswd | ||
| #KerberosTicketCleanup | ||
| #KeyRegenerationInterval | ||
| #Match | ||
| #RhostsRSAAuthentication | ||
| #RSAAuthentication | ||
| #ServerKeyBits | ||
| #StreamLocalBindMask | ||
| #StreamLocalBindUnlink | ||
| #UseDNS no | ||
| #UseLogin no | ||
| #UsePAM no | ||
| #PermitOpen |
| @@ -0,0 +1,89 @@ | ||
| AcceptEnv | ||
| AddressFamily | ||
| AllowAgentForwarding | ||
| AllowGroups | ||
| AllowTcpForwarding | ||
| AllowStreamLocalForwarding | ||
| AllowUsers | ||
| AuthenticationMethods | ||
| AuthorizedKeysCommand | ||
| AuthorizedKeysCommandUser | ||
| AuthorizedKeysFile | ||
| AuthorizedPrincipalsCommand | ||
| AuthorizedPrincipalsCommandUser | ||
| AuthorizedPrincipalsFile | ||
| Banner | ||
| ChallengeResponseAuthentication | ||
| ChrootDirectory | ||
| Ciphers | ||
| ClientAliveCountMax | ||
| ClientAliveInterval | ||
| Compression | ||
| DenyGroups | ||
| DenyUsers | ||
| FingerprintHash | ||
| ForceCommand | ||
| GatewayPorts | ||
| GSSAPIAuthentication | ||
| GSSAPICleanupCredentials | ||
| GSSAPIStrictAcceptorCheck | ||
| HostbasedAcceptedKeyTypes | ||
| HostbasedAuthentication | ||
| HostbasedUsesNameFromPacketOnly | ||
| HostCertificate | ||
| HostKey | ||
| HostKeyAgent | ||
| IgnoreRhosts | ||
| IgnoreUserKnownHosts | ||
| IPQoS | ||
| KbdInteractiveAuthentication | ||
| KerberosAuthentication | ||
| KerberosGetAFSToken | ||
| KerberosOrLocalPasswd | ||
| KerberosTicketCleanup | ||
| KexAlgorithms | ||
| KeyRegenerationInterval | ||
| ListenAddress | ||
| LoginGraceTime | ||
| LogLevel | ||
| MACs | ||
| Match | ||
| MaxAuthTries | ||
| MaxSessions | ||
| MaxStartups | ||
| PasswordAuthentication | ||
| PermitEmptyPasswords | ||
| PermitOpen | ||
| PermitRootLogin | ||
| PermitTunnel | ||
| PermitTTY | ||
| PermitUserEnvironment | ||
| PermitUserRC | ||
| PidFile | ||
| Port | ||
| PrintLastLog | ||
| PrintMotd | ||
| Protocol | ||
| PubkeyAcceptedKeyTypes | ||
| PubkeyAuthentication | ||
| RekeyLimit | ||
| RevokedKeys | ||
| RhostsRSAAuthentication | ||
| RSAAuthentication | ||
| ServerKeyBits | ||
| StreamLocalBindMask | ||
| StreamLocalBindUnlink | ||
| StrictModes | ||
| Subsystem | ||
| SyslogFacility | ||
| TCPKeepAlive | ||
| TrustedUserCAKeys | ||
| UseDNS | ||
| UseLogin | ||
| UsePAM | ||
| UsePrivilegeSeparation | ||
| VersionAddendum | ||
| X11DisplayOffset | ||
| X11Forwarding | ||
| X11UseLocalhost | ||
| XAuthLocation |
| @@ -0,0 +1,133 @@ | ||
| # $OpenBSD: sshd_config,v 1.95 2015/04/27 21:42:48 djm Exp $ | ||
|
|
||
| # This is the sshd server system-wide configuration file. See | ||
| # sshd_config(5) for more information. | ||
|
|
||
| # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin | ||
|
|
||
| # The strategy used for options in the default sshd_config shipped with | ||
| # OpenSSH is to specify options with their default value where | ||
| # possible, but leave them commented. Uncommented options override the | ||
| # default value. | ||
|
|
||
| #Port 22 | ||
| #AddressFamily any | ||
| #ListenAddress 0.0.0.0 | ||
| #ListenAddress :: | ||
|
|
||
| # The default requires explicit activation of protocol 1 | ||
| #Protocol 2 | ||
|
|
||
| # HostKey for protocol version 1 | ||
| #HostKey /etc/ssh/ssh_host_key | ||
| # HostKeys for protocol version 2 | ||
| #HostKey /etc/ssh/ssh_host_rsa_key | ||
| #HostKey /etc/ssh/ssh_host_dsa_key | ||
| #HostKey /etc/ssh/ssh_host_ecdsa_key | ||
| #HostKey /etc/ssh/ssh_host_ed25519_key | ||
|
|
||
| # Lifetime and size of ephemeral version 1 server key | ||
| #KeyRegenerationInterval 1h | ||
| #ServerKeyBits 1024 | ||
|
|
||
| # Ciphers and keying | ||
| #RekeyLimit default none | ||
|
|
||
| # Logging | ||
| # obsoletes QuietMode and FascistLogging | ||
| #SyslogFacility AUTH | ||
| #LogLevel INFO | ||
|
|
||
| # Authentication: | ||
|
|
||
| #LoginGraceTime 2m | ||
| #PermitRootLogin no | ||
| #StrictModes yes | ||
| #MaxAuthTries 6 | ||
| #MaxSessions 10 | ||
|
|
||
| #RSAAuthentication yes | ||
| #PubkeyAuthentication yes | ||
|
|
||
| # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 | ||
| # but this is overridden so installations will only check .ssh/authorized_keys | ||
| AuthorizedKeysFile .ssh/authorized_keys | ||
|
|
||
| #AuthorizedPrincipalsFile none | ||
|
|
||
| #AuthorizedKeysCommand none | ||
| #AuthorizedKeysCommandUser nobody | ||
|
|
||
| # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts | ||
| #RhostsRSAAuthentication no | ||
| # similar for protocol version 2 | ||
| #HostbasedAuthentication no | ||
| # Change to yes if you don't trust ~/.ssh/known_hosts for | ||
| # RhostsRSAAuthentication and HostbasedAuthentication | ||
| #IgnoreUserKnownHosts no | ||
| # Don't read the user's ~/.rhosts and ~/.shosts files | ||
| #IgnoreRhosts yes | ||
|
|
||
| # To disable tunneled clear text passwords, change to no here! | ||
| #PasswordAuthentication yes | ||
| #PermitEmptyPasswords no | ||
|
|
||
| # Change to no to disable s/key passwords | ||
| ChallengeResponseAuthentication no | ||
|
|
||
| # Kerberos options | ||
| #KerberosAuthentication no | ||
| #KerberosOrLocalPasswd yes | ||
| #KerberosTicketCleanup yes | ||
| #KerberosGetAFSToken no | ||
|
|
||
| # GSSAPI options | ||
| #GSSAPIAuthentication no | ||
| #GSSAPICleanupCredentials yes | ||
|
|
||
| # Set this to 'yes' to enable PAM authentication, account processing, | ||
| # and session processing. If this is enabled, PAM authentication will | ||
| # be allowed through the ChallengeResponseAuthentication and | ||
| # PasswordAuthentication. Depending on your PAM configuration, | ||
| # PAM authentication via ChallengeResponseAuthentication may bypass | ||
| # the setting of "PermitRootLogin without-password". | ||
| # If you just want the PAM account and session checks to run without | ||
| # PAM authentication, then enable this but set PasswordAuthentication | ||
| # and ChallengeResponseAuthentication to 'no'. | ||
| UsePAM yes | ||
|
|
||
| #AllowAgentForwarding yes | ||
| #AllowTcpForwarding yes | ||
| #GatewayPorts no | ||
| #X11Forwarding no | ||
| #X11DisplayOffset 10 | ||
| #X11UseLocalhost yes | ||
| #PermitTTY yes | ||
| PrintMotd no # pam does that | ||
| #PrintLastLog yes | ||
| #TCPKeepAlive yes | ||
| #UseLogin no | ||
| UsePrivilegeSeparation sandbox # Default for new installations. | ||
| #PermitUserEnvironment no | ||
| #Compression delayed | ||
| #ClientAliveInterval 0 | ||
| #ClientAliveCountMax 3 | ||
| #UseDNS no | ||
| #PidFile /run/sshd.pid | ||
| #MaxStartups 10:30:100 | ||
| #PermitTunnel no | ||
| #ChrootDirectory none | ||
| #VersionAddendum none | ||
|
|
||
| # no default banner path | ||
| #Banner none | ||
|
|
||
| # override default of no subsystems | ||
| Subsystem sftp /usr/lib/ssh/sftp-server | ||
|
|
||
| # Example of overriding settings on a per-user basis | ||
| #Match User anoncvs | ||
| # X11Forwarding no | ||
| # AllowTcpForwarding no | ||
| # PermitTTY no | ||
| # ForceCommand cvs server |
| @@ -0,0 +1,2 @@ | ||
| root ALL=(ALL) ALL | ||
| user ALL=(ALL) NOPASSWD: ALL |
| @@ -0,0 +1,60 @@ | ||
| #### ipv4 networking and equivalent ipv6 parameters #### | ||
|
|
||
| ## TCP SYN cookie protection (default) | ||
| ## helps protect against SYN flood attacks | ||
| ## only kicks in when net.ipv4.tcp_max_syn_backlog is reached | ||
| net.ipv4.tcp_syncookies = 1 | ||
|
|
||
| ## protect against tcp time-wait assassination hazards | ||
| ## drop RST packets for sockets in the time-wait state | ||
| ## (not widely supported outside of linux, but conforms to RFC) | ||
| net.ipv4.tcp_rfc1337 = 1 | ||
|
|
||
| ## sets the kernels reverse path filtering mechanism to value 1(on) | ||
| ## will do source validation of the packet's recieved from all the interfaces on the machine | ||
| ## protects from attackers that are using ip spoofing methods to do harm | ||
| net.ipv4.conf.all.rp_filter = 1 | ||
| net.ipv6.conf.all.rp_filter = 1 | ||
|
|
||
| ## tcp timestamps | ||
| ## + protect against wrapping sequence numbers (at gigabit speeds) | ||
| ## + round trip time calculation implemented in TCP | ||
| ## - causes extra overhead and allows uptime detection by scanners like nmap | ||
| ## enable @ gigabit speeds | ||
| net.ipv4.tcp_timestamps = 0 | ||
| #net.ipv4.tcp_timestamps = 1 | ||
|
|
||
| ## log martian packets | ||
| net.ipv4.conf.all.log_martians = 1 | ||
|
|
||
| ## ignore echo broadcast requests to prevent being part of smurf attacks (default) | ||
| net.ipv4.icmp_echo_ignore_broadcasts = 1 | ||
|
|
||
| ## ignore bogus icmp errors (default) | ||
| net.ipv4.icmp_ignore_bogus_error_responses = 1 | ||
|
|
||
| ## send redirects (not a router, disable it) | ||
| net.ipv4.conf.all.send_redirects = 0 | ||
|
|
||
| ## ICMP routing redirects (only secure) | ||
| #net.ipv4.conf.all.secure_redirects = 1 (default) | ||
| net/ipv4/conf/default/accept_redirects=0 | ||
| net/ipv4/conf/all/accept_redirects=0 | ||
| net/ipv6/conf/default/accept_redirects=0 | ||
| net/ipv6/conf/all/accept_redirects=0 | ||
|
|
||
| # Contains, as a percentage of total system memory, the number of pages at which | ||
| # a process which is generating disk writes will start writing out dirty data. | ||
| vm.dirty_ratio = 3 | ||
|
|
||
| # Contains, as a percentage of total system memory, the number of pages at which | ||
| # the background kernel flusher threads will start writing out dirty data. | ||
| vm.dirty_background_ratio = 2 | ||
|
|
||
| kernel.dmesg_restrict = 1 | ||
| kernel.kptr_restrict = 1 | ||
| kernel.randomize_va_space = 1 | ||
| net.netfilter.nf_conntrack_tcp_timeout_established = 360 | ||
| fs.protected_hardlinks = 1 | ||
| fs.protected_symlinks = 1 | ||
| net.ipv4.tcp_synack_retries = 2 |