debian housekeeping

script /common/scripts/debianHK.sh

http://www.linuxquestions.org/questions/debian-26/how-do-i-get-apt-get-to-completely-uninstall-a-package-237772/
http://www.rootkit.nl/files/lynis-documentation.html

apt-get install deborphan debfoster

#apt-get remove –purge package
#apt-get clean

the later will clean the /var

#debfoster

will show files and libraries still left after the apt-get remove –purge, if you don’t recognize a library, keep it, later on, deborphan will give you a list of ‘orphaned’ libraries that are hanging with no use, and are safe to nuke.

if you make a mistake with debfoster, type ‘u’ and will ask you again if you want to keep it. When you are thru with it, invoke deborphan.

#deborphan

will give a list of libraries that are hanging just taking space, to get rid of them:

#deborphan | xargs apt-get -y remove –purge

when thru with that:

#apt-get clean

recently after a dist-ugrade to sid, it installed emacs21, i removed it, and debfoster found some files like emacsen, etc.

aptitude purge ~c
apt-get autoremove

Also you do not need the “remove” when doing apt-get remove –purge package, just apt-get purge package.

deborphan | xargs apt-get -y remove –purge

To remove all orphaned data packages run:

deborphan –guess-dev | xargs apt-get -y remove –purge

To see all the orphaned packages on your system run:

deborphan –guess-all

Hits: 4

A (mostly) Comprehensive Jail List

Comments: use '#' for comment lines and ';' (following a space) for inline comments
 The DEFAULT allows a global definition of the options. They can be overridden
 in each jail afterwards.
 [DEFAULT]
 "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
 ban a host which matches an address in this list. Several addresses can be
 defined using space separator.
 ignoreip = 127.0.0.1/8
 External command that will take an tagged arguments to ignore, e.g. ,
 and return true if the IP is to be ignored. False otherwise.
 #
 ignorecommand = /path/to/command 
 ignorecommand =
 "bantime" is the number of seconds that a host is banned.
 bantime  = 600
 A host is banned if it has generated "maxretry" during the last "findtime"
 seconds.
 findtime  = 600
 "maxretry" is the number of failures before a host get banned.
 maxretry = 3
 "backend" specifies the backend used to get files modification.
 Available options are "pyinotify", "gamin", "polling" and "auto".
 This option can be overridden in each jail as well.
 #
 pyinotify: requires pyinotify (a file alteration monitor) to be installed.
 If pyinotify is not installed, Fail2ban will use auto.
 gamin:     requires Gamin (a file alteration monitor) to be installed.
 If Gamin is not installed, Fail2ban will use auto.
 polling:   uses a polling algorithm which does not require external libraries.
 auto:      will try to use the following backends, in order:
 pyinotify, gamin, polling.
 backend = auto
 "usedns" specifies if jails should trust hostnames in logs,
 warn when DNS lookups are performed, or ignore all hostnames in logs
 #
 yes:   if a hostname is encountered, a DNS lookup will be performed.
 warn:  if a hostname is encountered, a DNS lookup will be performed,
 but it will be logged as a warning.
 no:    if a hostname is encountered, will not be used for banning,
 but it will be logged as info.
 usedns = warn
 This jail corresponds to the standard configuration in Fail2ban.
 The mail-whois action send a notification e-mail with a whois request
 in the body.
 [pam-generic]
 enabled = false
 filter  = pam-generic
 action  = iptables-allports[name=pam,protocol=all]
 logpath = /var/log/secure
 [xinetd-fail]
 enabled = false
 filter  = xinetd-fail
 action  = iptables-allports[name=xinetd,protocol=all]
 logpath = /var/log/daemon*log
 [ssh-iptables]
 enabled  = true
 filter   = sshd
 action   = iptables[name=SSH, port=ssh, protocol=tcp]
            sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"]
 logpath  = /var/log/secure
 maxretry = 5
 [ssh-ddos]
 enabled  = false
 filter   = sshd-ddos
 action   = iptables[name=SSHDDOS, port=ssh, protocol=tcp]
 logpath  = /var/log/sshd.log
 maxretry = 2
 [dropbear]
 enabled  = false
 filter   = dropbear
 action   = iptables[name=dropbear, port=ssh, protocol=tcp]
 logpath  = /var/log/messages
 maxretry = 5
 [proftpd-iptables]
 enabled  = false
 filter   = proftpd
 action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
            sendmail-whois[name=ProFTPD, dest=you@example.com]
 logpath  = /var/log/proftpd/proftpd.log
 maxretry = 6
 [gssftpd-iptables]
 enabled  = false
 filter   = gssftpd
 action   = iptables[name=GSSFTPd, port=ftp, protocol=tcp]
            sendmail-whois[name=GSSFTPd, dest=you@example.com]
 logpath  = /var/log/daemon.log
 maxretry = 6
 [pure-ftpd]
 enabled  = false
 filter   = pure-ftpd
 action   = iptables[name=pureftpd, port=ftp, protocol=tcp]
 logpath  = /var/log/pureftpd.log
 maxretry = 6
 [wuftpd]
 enabled  = false
 filter   = wuftpd
 action   = iptables[name=wuftpd, port=ftp, protocol=tcp]
 logpath  = /var/log/daemon.log
 maxretry = 6
 [sendmail-auth]
 enabled  = false
 filter   = sendmail-auth
 action   = iptables-multiport[name=sendmail-auth, port="submission,465,smtp", protocol=tcp]
 logpath  = /var/log/mail.log
 [sendmail-reject]
 enabled  = false
 filter   = sendmail-reject
 action   = iptables-multiport[name=sendmail-auth, port="submission,465,smtp", protocol=tcp]
 logpath  = /var/log/mail.log
 This jail forces the backend to "polling".
 [sasl-iptables]
 enabled  = false
 filter   = postfix-sasl
 backend  = polling
 action   = iptables[name=sasl, port=smtp, protocol=tcp]
            sendmail-whois[name=sasl, dest=you@example.com]
 logpath  = /var/log/mail.log
 ASSP SMTP Proxy Jail
 [assp]
 enabled = false
 filter  = assp
 action  = iptables-multiport[name=assp,port="25,465,587"]
 logpath = /root/path/to/assp/logs/maillog.txt
 Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
 used to avoid banning the user "myuser".
 [ssh-tcpwrapper]
 enabled     = false
 filter      = sshd
 action      = hostsdeny[daemon_list=sshd]
               sendmail-whois[name=SSH, dest=you@example.com]
 ignoreregex = for myuser from
 logpath     = /var/log/sshd.log
 Here we use blackhole routes for not requiring any additional kernel support
 to store large volumes of banned IPs
 [ssh-route]
 enabled  = false
 filter   = sshd
 action   = route
 logpath  = /var/log/sshd.log
 maxretry = 5
 Here we use a combination of Netfilter/Iptables and IPsets
 for storing large volumes of banned IPs
 #
 IPset comes in two versions. See ipset -V for which one to use
 requires the ipset package and kernel support.
 [ssh-iptables-ipset4]
 enabled  = false
 filter   = sshd
 action   = iptables-ipset-proto4[name=SSH, port=ssh, protocol=tcp]
 logpath  = /var/log/sshd.log
 maxretry = 5
 [ssh-iptables-ipset6]
 enabled  = false
 filter   = sshd
 action   = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600]
 logpath  = /var/log/sshd.log
 maxretry = 5
 bsd-ipfw is ipfw used by BSD. It uses ipfw tables.
 table number must be unique.
  
 This will create a deny rule for that table ONLY if a rule
 for the table doesn't ready exist.
 #
 [ssh-bsd-ipfw]
 enabled  = false
 filter   = sshd
 action   = bsd-ipfw[port=ssh,table=1]
 logpath  = /var/log/auth.log
 maxretry = 5
 This jail demonstrates the use of wildcards in "logpath".
 Moreover, it is possible to give other files on a new line.
 [apache-tcpwrapper]
 enabled  = false
 filter     = apache-auth
 action   = hostsdeny
 logpath  = /var/log/apache/error.log
            /home/www/myhomepage/error.log
 maxretry = 6
 [apache-modsecurity]
 enabled  = false
 filter     = apache-modsecurity
 action   = iptables-multiport[name=apache-modsecurity,port="80,443"]
 logpath  = /var/log/apache/error.log
            /home/www/myhomepage/error.log
 maxretry = 2
 [apache-overflows]
 enabled  = false
 filter     = apache-overflows
 action   = iptables-multiport[name=apache-overflows,port="80,443"]
 logpath  = /var/log/apache/error.log
            /home/www/myhomepage/error.log
 maxretry = 2
 [apache-nohome]
 enabled  = false
 filter     = apache-nohome
 action   = iptables-multiport[name=apache-nohome,port="80,443"]
 logpath  = /var/log/apache/error.log
            /home/www/myhomepage/error.log
 maxretry = 2
 [nginx-http-auth]
 enabled = false
 filter  = nginx-http-auth
 action  = iptables-multiport[name=nginx-http-auth,port="80,443"]
 logpath = /var/log/nginx/error.log
 [squid]
 enabled = false
 filter  = squid
 action  = iptables-multiport[name=squid,port="80,443,8080"]
 logpath = /var/log/squid/access.log
 The hosts.deny path can be defined with the "file" argument if it is
 not in /etc.
 [postfix-tcpwrapper]
 enabled  = false
 filter   = postfix
 action   = hostsdeny[file=/not/a/standard/path/hosts.deny]
            sendmail[name=Postfix, dest=you@example.com]
 logpath  = /var/log/postfix.log
 bantime  = 300
 [cyrus-imap]
 enabled = false
 filter  = cyrus-imap
 action  = iptables-multiport[name=cyrus-imap,port="143,993"]
 logpath = /var/log/mail*log
 [courierlogin]
 enabled = false
 filter  = courierlogin
 action  = iptables-multiport[name=courierlogin,port="25,110,143,465,587,993,995"]
 logpath = /var/log/mail*log
 [couriersmtp]
 enabled = false
 filter  = couriersmtp
 action  = iptables-multiport[name=couriersmtp,port="25,465,587"]
 logpath = /var/log/mail*log
 [qmail-rbl]
 enabled = false
 filter  = qmail
 action  = iptables-multiport[name=qmail-rbl,port="25,465,587"]
 logpath = /service/qmail/log/main/current
 [sieve]
 enabled = false
 filter  = sieve
 action  = iptables-multiport[name=sieve,port="25,465,587"]
 logpath = /var/log/mail*log
 Do not ban anybody. Just report information about the remote host.
 A notification is sent at most every 600 seconds (bantime).
 [vsftpd-notification]
 enabled  = false
 filter   = vsftpd
 action   = sendmail-whois[name=VSFTPD, dest=you@example.com]
 logpath  = /var/log/vsftpd.log
 maxretry = 5
 bantime  = 1800
 Same as above but with banning the IP address.
 [vsftpd-iptables]
 enabled  = false
 filter   = vsftpd
 action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
            sendmail-whois[name=VSFTPD, dest=you@example.com]
 logpath  = /var/log/vsftpd.log
 maxretry = 5
 bantime  = 1800
 Ban hosts which agent identifies spammer robots crawling the web
 for email addresses. The mail outputs are buffered.
 [apache-badbots]
 enabled  = false
 filter   = apache-badbots
 action   = iptables-multiport[name=BadBots, port="http,https"]
            sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]
 logpath  = /var/www/*/logs/access_log
 bantime  = 172800
 maxretry = 1
 Use shorewall instead of iptables.
 [apache-shorewall]
 enabled  = false
 filter   = apache-noscript
 action   = shorewall
            sendmail[name=Postfix, dest=you@example.com]
 logpath  = /var/log/apache2/error_log
 Monitor roundcube server
 [roundcube-iptables]
 enabled  = false
 filter   = roundcube-auth
 action   = iptables-multiport[name=RoundCube, port="http,https"]
 logpath  = /var/log/roundcube/userlogins
 Monitor SOGo groupware server
 [sogo-iptables]
 enabled  = false
 filter   = sogo-auth
 without proxy this would be:
 port    = 20000
 action   = iptables-multiport[name=SOGo, port="http,https"]
 logpath  = /var/log/sogo/sogo.log
 [groupoffice]
 enabled  = false
 filter   = groupoffice
 action   = iptables-multiport[name=groupoffice, port="http,https"]
 logpath  = /home/groupoffice/log/info.log 
 [openwebmail]
 enabled  = false
 filter   = openwebmail
 logpath  = /var/log/openwebmail.log
 action   = ipfw
            sendmail-whois[name=openwebmail, dest=you@example.com]
 maxretry = 5
 [horde]
 enabled  = false
 filter   = horde
 logpath  = /var/log/horde/horde.log
 action   = iptables-multiport[name=horde, port="http,https"]
 maxretry = 5
 Ban attackers that try to use PHP's URL-fopen() functionality
 through GET/POST variables. - Experimental, with more than a year
 of usage in production environments.
 [php-url-fopen]
 enabled  = false
 action   = iptables-multiport[name=php-url-open, port="http,https"]
 filter   = php-url-fopen
 logpath  = /var/www/*/logs/access_log
 maxretry = 1
 [suhosin]
 enabled  = false
 filter   = suhosin
 action   = iptables-multiport[name=suhosin, port="http,https"]
 adapt the following two items as needed
 logpath  = /var/log/lighttpd/error.log
 maxretry = 2
 [lighttpd-auth]
 enabled  = false
 filter   = lighttpd-auth
 action   = iptables-multiport[name=lighttpd-auth, port="http,https"]
 adapt the following two items as needed
 logpath  = /var/log/lighttpd/error.log
 maxretry = 2
 This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
 option is overridden in this jail. Moreover, the action "mail-whois" defines
 the variable "name" which contains a comma using "". The characters '' are
 valid too.
 [ssh-ipfw]
 enabled  = false
 filter   = sshd
 action   = ipfw[localhost=192.168.0.1]
            sendmail-whois[name="SSH,IPFW", dest=you@example.com]
 logpath  = /var/log/auth.log
 ignoreip = 168.192.0.1
 !!! WARNING !!!
 Since UDP is connection-less protocol, spoofing of IP and imitation
 of illegal actions is way too simple.  Thus enabling of this filter
 might provide an easy way for implementing a DoS against a chosen
 victim. See
 http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
 Please DO NOT USE this jail unless you know what you are doing.
 #
 IMPORTANT: see filter.d/named-refused for instructions to enable logging
 This jail blocks UDP traffic for DNS requests.
 [named-refused-udp]
 #
 enabled  = false
 filter   = named-refused
 action   = iptables-multiport[name=Named, port="domain,953", protocol=udp]
 sendmail-whois[name=Named, dest=you@example.com]
 logpath  = /var/log/named/security.log
 ignoreip = 168.192.0.1
 IMPORTANT: see filter.d/named-refused for instructions to enable logging
 This jail blocks TCP traffic for DNS requests.
 [named-refused-tcp]
 enabled  = false
 filter   = named-refused
 action   = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
            sendmail-whois[name=Named, dest=you@example.com]
 logpath  = /var/log/named/security.log
 ignoreip = 168.192.0.1
 [nsd]
 enabled = false
 filter  = nsd
 action  = iptables-multiport[name=nsd-tcp, port="domain", protocol=tcp]
           iptables-multiport[name=nsd-udp, port="domain", protocol=udp]
 logpath = /var/log/nsd.log
 [asterisk]
 enabled  = false
 filter   = asterisk
 action   = iptables-multiport[name=asterisk-tcp, port="5060,5061", protocol=tcp]
            iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp]
            sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com]
 logpath  = /var/log/asterisk/messages
 maxretry = 10
 [freeswitch]
 enabled  = false
 filter   = freeswitch
 logpath  = /var/log/freeswitch.log
 maxretry = 10
 action   = iptables-multiport[name=freeswitch-tcp, port="5060,5061,5080,5081", protocol=tcp]
            iptables-multiport[name=freeswitch-udp, port="5060,5061,5080,5081", protocol=udp]
 [ejabberd-auth]
 enabled = false
 filter = ejabberd-auth
 logpath = /var/log/ejabberd/ejabberd.log
 action   = iptables[name=ejabberd, port=xmpp-client, protocol=tcp]
 Historical support (before https://github.com/fail2ban/fail2ban/issues/37 was fixed )
 use [asterisk] for new jails
 [asterisk-tcp]
 enabled  = false
 filter   = asterisk
 action   = iptables-multiport[name=asterisk-tcp, port="5060,5061", protocol=tcp]
            sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com]
 logpath  = /var/log/asterisk/messages
 maxretry = 10
 Historical support (before https://github.com/fail2ban/fail2ban/issues/37 was fixed )
 use [asterisk] for new jails
 [asterisk-udp]
 enabled  = false
 filter     = asterisk
 action   = iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp]
            sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com]
 logpath  = /var/log/asterisk/messages
 maxretry = 10
 [mysqld-iptables]
 enabled  = false
 filter   = mysqld-auth
 action   = iptables[name=mysql, port=3306, protocol=tcp]
            sendmail-whois[name=MySQL, dest=root, sender=fail2ban@example.com]
 logpath  = /var/log/mysqld.log
 maxretry = 5
 [mysqld-syslog]
 enabled  = false
 filter   = mysqld-auth
 action   = iptables[name=mysql, port=3306, protocol=tcp]
 logpath  = /var/log/daemon.log
 maxretry = 5
 Jail for more extended banning of persistent abusers
 !!! WARNING !!!
 Make sure that your loglevel specified in fail2ban.conf/.local
 is not at DEBUG level -- which might then cause fail2ban to fall into
 an infinite loop constantly feeding itself with non-informative lines
 [recidive]
 enabled  = false
 filter   = recidive
 logpath  = /var/log/fail2ban.log
 action   = iptables-allports[name=recidive,protocol=all]
            sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
 bantime  = 604800  ; 1 week
 findtime = 86400   ; 1 day
 maxretry = 5
 PF is a BSD based firewall
 [ssh-pf]
 enabled  = false
 filter   = sshd
 action   = pf
 logpath  = /var/log/sshd.log
 maxretry = 5
 [3proxy]
 enabled = false
 filter  = 3proxy
 action  = iptables[name=3proxy, port=3128, protocol=tcp]
 logpath = /var/log/3proxy.log
 [exim]
 enabled = false
 filter  = exim
 action  = iptables-multiport[name=exim,port="25,465,587"]
 logpath = /var/log/exim/mainlog
 [exim-spam]
 enabled = false
 filter  = exim-spam
 action  = iptables-multiport[name=exim-spam,port="25,465,587"]
 logpath = /var/log/exim/mainlog
 [perdition]
 enabled = false
 filter  = perdition
 action  = iptables-multiport[name=perdition,port="110,143,993,995"]
 logpath = /var/log/maillog
 [uwimap-auth]
 enabled = false
 filter  = uwimap-auth
 action  = iptables-multiport[name=uwimap-auth,port="110,143,993,995"]
 logpath = /var/log/maillog
 [osx-ssh-ipfw]
 enabled  = false
 filter   = sshd
 action   = osx-ipfw
 logpath  = /var/log/secure.log
 maxretry = 5
 [ssh-apf]
 enabled = false
 filter  = sshd
 action  = apf[name=SSH]
 logpath = /var/log/secure
 maxretry = 5
 [osx-ssh-afctl]
 enabled  = false
 filter   = sshd
 action   = osx-afctl[bantime=600]
 logpath  = /var/log/secure.log
 maxretry = 5
 [webmin-auth]
 enabled = false
 filter  = webmin-auth
 action  = iptables-multiport[name=webmin,port="10000"]
 logpath = /var/log/auth.log
 dovecot defaults to logging to the mail syslog facility
 but can be set by syslog_facility in the dovecot configuration.
 [dovecot]
 enabled = false
 filter  = dovecot
 action  = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps,submission,465,sieve", protocol=tcp]
 logpath = /var/log/mail.log
 [dovecot-auth]
 enabled = false
 filter  = dovecot
 action  = iptables-multiport[name=dovecot-auth, port="pop3,pop3s,imap,imaps,submission,465,sieve", protocol=tcp]
 logpath = /var/log/secure
 [solid-pop3d]
 enabled = false
 filter  = solid-pop3d
 action  = iptables-multiport[name=solid-pop3, port="pop3,pop3s", protocol=tcp]
 logpath = /var/log/mail.log
 [selinux-ssh]
 enabled  = false
 filter   = selinux-ssh
 action   = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp]
 logpath  = /var/log/audit/audit.log
 maxretry = 5
 See the IMPORTANT note in action.d/blocklist_de.conf for when to
 use this action
 #
 Report block via blocklist.de fail2ban reporting service API
 See action.d/blocklist_de.conf for more information
 [ssh-blocklist]
 enabled  = false
 filter   = sshd
 action   = iptables[name=SSH, port=ssh, protocol=tcp]
            sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"]
            blocklist_de[email="fail2ban@example.com", apikey="xxxxxx", service=%(filter)s]
 logpath  = /var/log/sshd.log
 maxretry = 20
 consider low maxretry and a long bantime
 nobody except your own Nagios server should ever probe nrpe
 [nagios]
 enabled  = false
 filter   = nagios
 action   = iptables[name=Nagios, port=5666, protocol=tcp]
            sendmail-whois[name=Nagios, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"]
 logpath  = /var/log/messages     ; nrpe.cfg may define a different log_facility
 maxretry = 1

Hits: 2

ifconfig deprecated, use ip (bastards)

Syntax

ip OBJECT COMMAND
ip [options] OBJECT COMMAND
ip OBJECT help

OBJECTS:

ObjectAbbreviationPurpose
linklNetwork device.
addressa
addr
Protocol (IP or IPv6) address on a device.
addrlabeladdrlLabel configuration for protocol address selection.
neighbourn
neigh
ARP or NDISC cache entry.
routerRouting table entry.
ruleruRule in routing policy database.
maddressm
maddr
Multicast address.
mroutemrMulticast routing cache entry.
tunneltTunnel over IP.
xfrmxFramework for IPsec protocol.

Hits: 0