Commit message (Collapse) | Author | Age | Files | |
---|---|---|---|---|
* | logcheck-database update. | Guilhem Moulin | 2024-09-08 | 2 |
| | ||||
* | Improve Debian 11's fail2ban rules. | Guilhem Moulin | 2022-12-18 | 4 |
| | ||||
* | Port baseline to Debian 11 (codename Bullseye). | Guilhem Moulin | 2022-10-13 | 10 |
| | ||||
* | logcheck-database update. | Guilhem Moulin | 2022-10-11 | 3 |
| | ||||
* | logcheck-database update. | Guilhem Moulin | 2021-02-13 | 1 |
| | | | | ansible 2.10.7 uses "ansible-ansible.legacy.stat: Invoked with […]". | |||
* | rkhunter: workaround for mix usrmerge/non-usrmerge environments. | Guilhem Moulin | 2020-11-15 | 1 |
| | | | | See https://bugs.debian.org/932594#15 . | |||
* | logcheck-database update. | Guilhem Moulin | 2020-11-15 | 4 |
| | ||||
* | Bacula: refactor systemd service files. | Guilhem Moulin | 2020-11-03 | 1 |
| | | | | | | Use unit overrides on top of upstream's service files instead of overriding entire service files. In particular, upstream uses flag `-P` so we don't need to use RuntimeDirectory= anymore. | |||
* | IMAP: Update role to Debian Buster. | Guilhem Moulin | 2020-05-19 | 1 |
| | | | | | | | | For `ssl_cipher_list` we pick the suggested value from https://ssl-config.mozilla.org/#server=dovecot&version=2.3.9&config=intermediate&openssl=1.1.1d At the moment it's equivalent (modulo order) to adding ‘EDH+AESGCM+aRSA’ to ‘EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL’. | |||
* | stunnel4: Harden and socket-activate. | Guilhem Moulin | 2020-05-18 | 1 |
| | ||||
* | Upgrade baseline to Debian 10. | Guilhem Moulin | 2020-05-16 | 11 |
| | ||||
* | Improve/harden fail2ban configuration. | Guilhem Moulin | 2020-01-25 | 5 |
| | | | | | | | | | * Use nftables sets with a timeout * Start daemon with a hardened unit file and restricted Capability Bounding Set. (This requires to change the log path to /var/log/fail2ban/*.) * Skip database as we don't care about persistence. * Refactor jail.local | |||
* | Convert firewall to nftables. | Guilhem Moulin | 2020-01-23 | 4 |
| | | | | Debian Buster uses the nftables framework by default. | |||
* | MSA: Open 465/TCP for Email Submission over TLS. | Guilhem Moulin | 2019-03-19 | 1 |
| | | | | See RFC 8314 sec. 3.3 "Cleartext Considered Obsolete". | |||
* | firewall: gracefully close invalid connections. | Guilhem Moulin | 2018-12-22 | 1 |
| | | | | | | | This is useful when an ESTABLISHED connection is seen as NEW because the client was offline for some time. For instance, clients now gracefully close existing SSH connections immediately after resuming from a suspend state, rather that waiting for the TCP timeout. | |||
* | Update 'IMAP', 'MSA' and 'LDAP-provider' roles to Debian Stretch. | Guilhem Moulin | 2018-12-09 | 3 |
| | ||||
* | Disable resume device. | Guilhem Moulin | 2018-12-09 | 1 |
| | | | | We don't need suspend-on-disk (hibernation). | |||
* | systemd.service: Tighten hardening options. | Guilhem Moulin | 2018-12-09 | 2 |
| | ||||
* | bacula-*.service: Don't fork in the background. | Guilhem Moulin | 2018-12-09 | 1 |
| | | | | Inspired from /lib/systemd/system/bacula-fd.service. | |||
* | Upgrade 'lists' role to Debian Stretch. | Guilhem Moulin | 2018-12-09 | 1 |
| | ||||
* | systemd: Replace ‘ProtectSystem=full’ with ‘ProtectSystem=strict’. | Guilhem Moulin | 2018-12-09 | 2 |
| | | | | And remove ‘ReadOnlyDirectories=/’ as it's implied by ‘ProtectSystem=strict’. | |||
* | Firewall: REJECT outgoing connections instead of DROPing them. | Guilhem Moulin | 2018-12-09 | 1 |
| | ||||
* | DKIM: also include the "d=" tag in key filenames, not only the "s=" tag. | Guilhem Moulin | 2018-12-05 | 1 |
| | | | | | While the combination of "s=" tag (selector) & "d=" tag signing domain maps to a unique key, the selector alone doesn't necessarily. | |||
* | Postfix: replace cdb & btree tables with lmdb ones. | Guilhem Moulin | 2018-12-03 | 1 |
| | | | | Cf. lmdb_table(5). | |||
* | IPsec: allow ISAKMP over IPv6. | Guilhem Moulin | 2018-12-03 | 1 |
| | ||||
* | Upgrade baseline to Debian Stretch. | Guilhem Moulin | 2018-12-03 | 9 |
| | ||||
* | Skip samhain installation. | Guilhem Moulin | 2018-12-03 | 1 |
| | | | | It's become too verbose (too many false-positive)… | |||
* | Harden anti spam on the MX:es. | Guilhem Moulin | 2018-06-09 | 1 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2018-04-04 | 3 |
| | ||||
* | sympa: wibble | Guilhem Moulin | 2018-04-04 | 1 |
| | ||||
* | Perform recipient address verification on the MSA itself. | Guilhem Moulin | 2018-04-04 | 1 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2017-09-14 | 3 |
| | ||||
* | rkhunter: Disable remote updates to fix CVE-2017-7480. | Guilhem Moulin | 2017-07-29 | 1 |
| | ||||
* | Use MariaDB as default MySQL flavor. | Guilhem Moulin | 2017-07-29 | 1 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2017-06-07 | 1 |
| | ||||
* | postfix-sender-login: wibble | Guilhem Moulin | 2017-06-05 | 1 |
| | ||||
* | dovecot: enable user iteration and add a cronjob for `doveadm purge -A` | Guilhem Moulin | 2017-06-05 | 1 |
| | ||||
* | postfix: don't rate-limit our IPsec subnet. | Guilhem Moulin | 2017-06-02 | 1 |
| | ||||
* | /lib/systemd/system → /etc/systemd/system | Guilhem Moulin | 2017-05-31 | 3 |
| | ||||
* | MSA: reject null sender address. | Guilhem Moulin | 2017-05-14 | 1 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2016-12-08 | 1 |
| | ||||
* | Firewall: allow duplicates rules. | Guilhem Moulin | 2016-09-18 | 1 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2016-08-22 | 2 |
| | ||||
* | Postfix: don't share the master.cf between the instances. | Guilhem Moulin | 2016-07-10 | 1 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2016-07-09 | 2 |
| | ||||
* | IPSec → IPsec | Guilhem Moulin | 2016-06-29 | 1 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2016-06-29 | 3 |
| | ||||
* | update-firewall.sh: COMMIT empty iptables rule files. | Guilhem Moulin | 2016-06-29 | 1 |
| | ||||
* | typo | Guilhem Moulin | 2016-05-24 | 1 |
| | ||||
* | IPSec: replace (self-signed) X.509 certs by their raw pubkey for authentication. | Guilhem Moulin | 2016-05-24 | 1 |
| | | | | There is no need to bother with X.509 cruft here. |