Merge branch 'master' of https://git.ispconfig.org/ispconfig/ispconfig3

Author: Florian Schaal

docs/hardening/.gitkeep

@@ -0,0 +1,20 @@
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+This folder contains examples for further ISPC hardening (done by NwSEC)
+
+
+Currently, these are:
+
+
+
+anti-bruteforce         WordPress Login Anti-Bruteforce via fail2ban
+
+postfix-ldap            Query for valid recipients via LDAP in a transparent
+                        setup routing mails e.g. to the internal server
+                        
+                        
+                        
+All these examples have been productively tested and implemented on various
+Debian/GNU Linux based systems.
+
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

docs/hardening/README.md

@@ -0,0 +1,8 @@
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+
+This is an example to block WordPress Login Bruteforce Attacks. Further
+description can also be found @ https://blog.nwsec.de/wordpress/?p=1112
+
+
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

docs/hardening/anti-bruteforce/.gitkeep

@@ -0,0 +1,10 @@
+#
+# This goes into (or at the end of) /etc/fail2ban/jail.local
+#
+[wp-auth]
+ enabled = true
+ filter = wp-auth
+ action = iptables-multiport[name=wp-auth, port="http,https"]
+ logpath = /var/www/clients/client*/web*/log/*.log
+ bantime = 1200
+ maxretry = 5

docs/hardening/anti-bruteforce/README.md

@@ -0,0 +1,5 @@
+#
+# This goes into /etc/fail2ban/filter.d/wp-auth.conf
+#
+[Definition]
+ failregex = ^<HOST> .* "POST /wp-login.php

docs/hardening/anti-bruteforce/jail.local

@@ -0,0 +1,17 @@
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+If mails get transparently forwarded to another mailserver, a mechanism to block
+mail for invalid recipients makes sense, and drastically increaes the well-known
+backscatter problem.
+
+LDAP queries are used to check for valid recipients, and forwards the mail, if
+an entry for the user is found.
+
+For this to work, on Debian/GNU Linux, you also have to install postfix-ldap by
+
+apt install postfix-ldap
+
+
+Further information can be found @ https://blog.nwsec.de/wordpress/?p=1031
+
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

docs/hardening/anti-bruteforce/wp-auth.conf

@@ -0,0 +1,4 @@
+#
+# This goes into /etc/postfix/main.cf in the section relay_recipient_maps
+#
+relay_recipient_maps = hash:/etc/postfix/relay_recipients, ldap:/etc/postfix/ldap-aliases.cf

docs/hardening/postfix-ldap/.gitkeep

@@ -0,0 +1,9 @@
+server_host = x.x.x.x
+search_base = ou=xxx, dc=xxx, dc=xx
+version = 3
+timeout = 10
+leaf_result_attribute = mail
+bind_dn = user@domain
+bind_pw = userpassword
+query_filter = (mail=%s) 
+result_attribute = mail, addressToForward