├── .gitignore ├── .gitmodules ├── Makefile ├── README.md ├── base ├── etc │ ├── group │ ├── hosts │ ├── passwd │ └── shadow └── initrd.config ├── jump ├── etc │ └── sshd_config ├── initrd.config └── jump.xml ├── nginx ├── README.md ├── etc │ └── nginx │ │ ├── index.html │ │ ├── mime.types │ │ └── nginx.conf └── initrd.config ├── shell └── initrd.config └── syslogd ├── README.md ├── etc ├── services └── syslogd.conf ├── initrd.config ├── syslog-sink.conf └── syslogd /.gitignore: -------------------------------------------------------------------------------- 1 | .*.swp 2 | .*.cmd 3 | Module.symvers 4 | *.o 5 | *.a 6 | modules.order 7 | *.ko 8 | *.mod 9 | *.mod.c 10 | build 11 | kernel/linux* 12 | *.sign 13 | *.xz 14 | .*.d 15 | tags 16 | ctags 17 | *.bin 18 | *.efi 19 | *.exe 20 | *.img 21 | *.iso 22 | *.fd 23 | *.tar.gz 24 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "linux-builder"] 2 | path = linux-builder 3 | url = https://github.com/osresearch/linux-builder 4 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | TARGET ?= jump 2 | INITRD ?= build/initrd-$(TARGET).cpio 3 | BUNDLE ?= 4 | KERNEL_TAG = $(if $(BUNDLE),$(TARGET),virtio) 5 | KERNEL = build/vmlinuz-$(KERNEL_TAG) 6 | INITRD_EXTRA ?= 7 | HOSTNAME ?= $(TARGET) 8 | CMDLINE ?= quiet console=ttyS0 ip=::::$(HOSTNAME) 9 | 10 | all: keys $(KERNEL) $(INITRD) 11 | 12 | build/vmlinuz-$(KERNEL_TAG): $(if $(BUNDLE),$(INITRD)) 13 | +./linux-builder/linux-builder \ 14 | --version 5.4.117 \ 15 | --config linux-builder/config/linux-virtio.config \ 16 | --tag "$(KERNEL_TAG)" \ 17 | $(if $(BUNDLE), \ 18 | --initrd "$(INITRD)" \ 19 | --hostname "$(HOSTNAME)" \ 20 | --cmdline "$(CMDLINE)" \ 21 | ) 22 | 23 | # see linux/Documentation/filesystems/nfs/nfsroot.txt 24 | # if client-ip is INADDR_ANY (or empty), autoconfig will run 25 | #ip=::::::: 26 | 27 | menuconfig: 28 | ./linux-builder/linux-builder \ 29 | --config linux-builder/config/linux-qemu.config \ 30 | --tag "jump" \ 31 | --menuconfig 32 | 33 | INITRD_CONFIG = \ 34 | linux-builder/config/initrd-base.config \ 35 | base/initrd.config \ 36 | syslogd/initrd.config \ 37 | 38 | build/initrd-%.cpio: %/initrd.config $(INITRD_CONFIG) $(INITRD_EXTRA) 39 | ./linux-builder/initrd-builder \ 40 | -v \ 41 | --relative \ 42 | -o $@ \ 43 | --deps $(dir $@)/.$(notdir $@).d \ 44 | $(INITRD_CONFIG) \ 45 | $< 46 | if [ -n "$(INITRD_EXTRA)" ]; then \ 47 | cat "$(INITRD_EXTRA)" >> $@ ; \ 48 | fi 49 | 50 | -include build/.*.d 51 | 52 | keys: build/etc/user_ca 53 | keys: build/etc/host_ca 54 | keys: build/etc/ssh/ssh_host_rsa_key-cert.pub 55 | keys: build/etc/testuser_rsa-cert.pub 56 | 57 | # Create separate CA keys for the user and host system 58 | build/etc/user_ca: 59 | @echo '*********** Creating CA to sign user keys *********' 60 | ssh-keygen \ 61 | -t rsa \ 62 | -b 4096 \ 63 | -f "$@" \ 64 | -C "jump-user-CA" 65 | build/etc/host_ca: 66 | @echo '*********** Creating CA to sign host keys *********' 67 | ssh-keygen \ 68 | -t rsa \ 69 | -b 4096 \ 70 | -f "$@" \ 71 | -C "jump-host-CA" 72 | 73 | # Create a signed host key for the jump host 74 | build/etc/ssh/ssh_host_rsa_key: 75 | @echo '*********** Creating a jump host key *********' 76 | mkdir -p $(dir $@) 77 | ssh-keygen \ 78 | -h \ 79 | -t rsa \ 80 | -b 4096 \ 81 | -N '' \ 82 | -f $@ 83 | 84 | build/etc/ssh/ssh_host_rsa_key-cert.pub: build/etc/ssh/ssh_host_rsa_key build/etc/host_ca 85 | @echo '*********** Signing the jump host key *********' 86 | ssh-keygen \ 87 | -s build/etc/host_ca \ 88 | -h \ 89 | -I jump \ 90 | -n jump,safeboot \ 91 | -V +52w \ 92 | $<.pub 93 | 94 | # Create a test user that is signed with the key 95 | build/etc/testuser_rsa: 96 | @echo '*********** Creating test user key *********' 97 | ssh-keygen \ 98 | -t rsa \ 99 | -b 4096 \ 100 | -f $@ 101 | build/etc/testuser_rsa-cert.pub: build/etc/testuser_rsa build/etc/user_ca.pub 102 | @echo '*********** Signing test user key *********' 103 | ssh-keygen \ 104 | -s build/etc/user_ca \ 105 | -I test-user \ 106 | -n jump \ 107 | -V +1h \ 108 | $<.pub 109 | 110 | $(INITRD): | linux-builder/init 111 | $(INITRD): build/etc/ssh/ssh_host_rsa_key-cert.pub 112 | linux-builder/init: 113 | $(MAKE) -C $(dir $@) $(notdir $@) 114 | 115 | # initrd is built into the kernel now 116 | NO=-initrd $(INITRD) \ 117 | 118 | qemu: $(KERNEL) $(INITRD) 119 | qemu-system-x86_64 \ 120 | -M q35,accel=kvm \ 121 | -m 512 \ 122 | -kernel "$(KERNEL)" \ 123 | $(if $(BUNDLE),, \ 124 | -initrd "$(INITRD)" \ 125 | -append "$(CMDLINE)" \ 126 | ) \ 127 | -netdev user,id=eth0,hostfwd=tcp::5555-:22,hostfwd=tcp::8080-:80 \ 128 | -device virtio-net-pci,netdev=eth0 \ 129 | -serial stdio \ 130 | 131 | 132 | # -device virtio-serial-pci,id=virtio-serial0 \ 133 | # -chardev stdio,id=charconsole0 \ 134 | # -device serial,chardev=charconsole0,id=console0 \ 135 | 136 | # -device virtconsole,chardev=charconsole0,id=console0 \ 137 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # jumphost 2 | 3 | These scripts produce a minimal OpenSSH jump host, which will 4 | accept signed user keys and allow them to transfer to another 5 | host inside the network. The build system uses 6 | [linux-builder](https://github.com/osresearch/linux-builder) 7 | to create a custom kernel and initrd with only the `sshd` program. 8 | 9 | Goals: 10 | 11 | * [X] Diskless image 12 | * [X] Immutable system 13 | * [X] Network logging 14 | * [X] No shell for accidental code execution 15 | * [X] Minimal attack surface 16 | 17 | ## Building 18 | 19 | ``` 20 | git clone --recursive https://github.com/osresearch/jumphost 21 | cd jumphost 22 | make keys # create CA keys and a demo user 23 | make -j32 build/vmlinuz-jump 24 | make qemu 25 | ``` 26 | 27 | ## Running with libvirt 28 | 29 | ``` 30 | virsh create jump/jump.xml 31 | ``` 32 | 33 | ## Signed user keys 34 | 35 | * https://smallstep.com/blog/use-ssh-certificates/ 36 | * https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-certificates 37 | 38 | Every user logs into the jump host as user `jump`. Passwords are not 39 | allowed. Interactive sessions are not allowed. Only proxy commands 40 | via the `ssh -J jump@jumphost user@other-host` are allowed. 41 | 42 | The jumphost has a public key of the user CA that will sign acceptable 43 | user keys. This CA is fixed at image build time; to change the CA requires 44 | rebuilding the jump host system image. The login attempts are sent 45 | via syslog to the network logging host. 46 | 47 | ## Signed host keys 48 | 49 | The jumphost's host key is also signed by a host CA, so that users 50 | connecting can ensure that they trust it without having to TOFU 51 | (Trust On First Use) the key. 52 | 53 | You can add it to your user ssh config by running: 54 | 55 | ``` 56 | echo "@cert-authority * $(cat etc/host_ca.pub)" >> ~/.ssh/known_hosts 57 | ``` 58 | -------------------------------------------------------------------------------- /base/etc/group: -------------------------------------------------------------------------------- 1 | www-data:x:3:www-data 2 | -------------------------------------------------------------------------------- /base/etc/hosts: -------------------------------------------------------------------------------- 1 | 127.0.0.1 localhost 2 | -------------------------------------------------------------------------------- /base/etc/passwd: -------------------------------------------------------------------------------- 1 | root:x:0:0:root:/:/bin/nologin 2 | sshd:x:1:1:sshd privsep:/run/sshd:/bin/nologin 3 | jump:x:2:2:jump user:/:/bin/nologin 4 | www-data:x:3:3:nginx user:/run/www-data:/bin/nologin 5 | -------------------------------------------------------------------------------- /base/etc/shadow: -------------------------------------------------------------------------------- 1 | root:!:1:0:99999:7::: 2 | sshd:!:1:0:99999:7::: 3 | jump:*:1:0:99999:7::: 4 | www-data:!:1:0:99999:7::: 5 | NOUSER:!:1:0:99999:7::: 6 | -------------------------------------------------------------------------------- /base/initrd.config: -------------------------------------------------------------------------------- 1 | # binary to initialize the system before execing 2 | # the user applications 3 | ../linux-builder/init / 4 | mkdir /init.d 5 | 6 | # basic user accounts (all of them are nologin) 7 | mkdir /etc 8 | etc/passwd /etc 9 | etc/shadow /etc 10 | etc/hosts /etc 11 | etc/group /etc 12 | 13 | # fake shell for the users 14 | /sbin/nologin 15 | 16 | # files that are dynamically generated 17 | symlink /proc/mounts /etc/mtab 18 | symlink /proc/net/pnp /etc/resolv.conf 19 | 20 | # dynamic libraries for name resolution 21 | /lib/x86_64-linux-gnu/libresolv.so.2 /lib64 22 | /lib/x86_64-linux-gnu/libnss_dns.so.2 /lib64 23 | /lib/x86_64-linux-gnu/libnss_files.so.2 /lib64 24 | /lib/x86_64-linux-gnu/libnss_compat.so.2 /lib64 25 | 26 | -------------------------------------------------------------------------------- /jump/etc/sshd_config: -------------------------------------------------------------------------------- 1 | # $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ 2 | 3 | # This is the sshd server system-wide configuration file. See 4 | # sshd_config(5) for more information. 5 | 6 | # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 7 | 8 | # The strategy used for options in the default sshd_config shipped with 9 | # OpenSSH is to specify options with their default value where 10 | # possible, but leave them commented. Uncommented options override the 11 | # default value. 12 | 13 | #Include /etc/ssh/sshd_config.d/*.conf 14 | 15 | #Port 22 16 | #AddressFamily any 17 | #ListenAddress 0.0.0.0 18 | #ListenAddress :: 19 | 20 | HostKey /etc/ssh/ssh_host_rsa_key 21 | HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub 22 | TrustedUserCAKeys /etc/ssh/user_ca.pub 23 | 24 | #HostKey /etc/ssh/ssh_host_ecdsa_key 25 | #HostKey /etc/ssh/ssh_host_ed25519_key 26 | 27 | # Ciphers and keying 28 | #RekeyLimit default none 29 | 30 | # Logging 31 | SyslogFacility AUTH 32 | LogLevel INFO 33 | 34 | # Do not let SSH clients do anything except be forwarded to the destination: 35 | PermitTTY no 36 | X11Forwarding no 37 | PermitTunnel no 38 | GatewayPorts no 39 | ForceCommand /bin/nologin 40 | 41 | 42 | # Authentication: 43 | 44 | #LoginGraceTime 2m 45 | #PermitRootLogin prohibit-password 46 | #StrictModes yes 47 | #MaxAuthTries 6 48 | #MaxSessions 10 49 | 50 | 51 | #PubkeyAuthentication yes 52 | 53 | # Expect .ssh/authorized_keys2 to be disregarded by default in future. 54 | #AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 55 | 56 | #AuthorizedPrincipalsFile none 57 | 58 | #AuthorizedKeysCommand none 59 | #AuthorizedKeysCommandUser nobody 60 | 61 | # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 62 | #HostbasedAuthentication no 63 | # Change to yes if you don't trust ~/.ssh/known_hosts for 64 | # HostbasedAuthentication 65 | #IgnoreUserKnownHosts no 66 | # Don't read the user's ~/.rhosts and ~/.shosts files 67 | #IgnoreRhosts yes 68 | 69 | # To disable tunneled clear text passwords, change to no here! 70 | #PasswordAuthentication yes 71 | #PermitEmptyPasswords no 72 | 73 | # Change to yes to enable challenge-response passwords (beware issues with 74 | # some PAM modules and threads) 75 | ChallengeResponseAuthentication no 76 | 77 | # Kerberos options 78 | #KerberosAuthentication no 79 | #KerberosOrLocalPasswd yes 80 | #KerberosTicketCleanup yes 81 | #KerberosGetAFSToken no 82 | 83 | # GSSAPI options 84 | #GSSAPIAuthentication no 85 | #GSSAPICleanupCredentials yes 86 | #GSSAPIStrictAcceptorCheck yes 87 | #GSSAPIKeyExchange no 88 | 89 | # Set this to 'yes' to enable PAM authentication, account processing, 90 | # and session processing. If this is enabled, PAM authentication will 91 | # be allowed through the ChallengeResponseAuthentication and 92 | # PasswordAuthentication. Depending on your PAM configuration, 93 | # PAM authentication via ChallengeResponseAuthentication may bypass 94 | # the setting of "PermitRootLogin without-password". 95 | # If you just want the PAM account and session checks to run without 96 | # PAM authentication, then enable this but set PasswordAuthentication 97 | # and ChallengeResponseAuthentication to 'no'. 98 | UsePAM no 99 | 100 | #AllowAgentForwarding yes 101 | #AllowTcpForwarding yes 102 | #GatewayPorts no 103 | X11Forwarding no 104 | #X11DisplayOffset 10 105 | #X11UseLocalhost yes 106 | #PermitTTY yes 107 | PrintMotd no 108 | #PrintLastLog yes 109 | #TCPKeepAlive yes 110 | #PermitUserEnvironment no 111 | #Compression delayed 112 | #ClientAliveInterval 0 113 | #ClientAliveCountMax 3 114 | #UseDNS no 115 | #PidFile /var/run/sshd.pid 116 | #MaxStartups 10:30:100 117 | #PermitTunnel no 118 | #ChrootDirectory none 119 | #VersionAddendum none 120 | 121 | # no default banner path 122 | #Banner none 123 | 124 | # Allow client to pass locale environment variables 125 | AcceptEnv LANG LC_* 126 | 127 | # no subsystems 128 | #Subsystem sftp /usr/lib/openssh/sftp-server 129 | 130 | # Example of overriding settings on a per-user basis 131 | #Match User anoncvs 132 | # X11Forwarding no 133 | # AllowTcpForwarding no 134 | # PermitTTY no 135 | # ForceCommand cvs server 136 | -------------------------------------------------------------------------------- /jump/initrd.config: -------------------------------------------------------------------------------- 1 | # sshd program and the invocation after tinyinit has finished 2 | # without syslog, use -D -e to stay in the foreground 3 | # with syslog, detach and write to it 4 | /usr/sbin/sshd 5 | exec /init.d/S20-sshd /bin/sshd 6 | 7 | # home directories for the sshd and jump users 8 | mkdir /run/sshd 700 9 | mkdir /run/jump 10 | 11 | # static config 12 | etc/sshd_config /etc/ssh 13 | 14 | # generated host key and CA cert 15 | ../build/etc/user_ca.pub /etc/ssh 16 | ../build/etc/ssh/ssh_host_rsa_key /etc/ssh 17 | ../build/etc/ssh/ssh_host_rsa_key.pub /etc/ssh 18 | ../build/etc/ssh/ssh_host_rsa_key-cert.pub /etc/ssh 19 | -------------------------------------------------------------------------------- /jump/jump.xml: -------------------------------------------------------------------------------- 1 | 2 | jump 3 | 0934b6df-0dc0-4c97-84e4-4cbb686c707a 4 | 5 | 6 | 524288 7 | 524288 8 | 1 9 | 10 | hvm 11 | /home/hudson/vmlinuz-jump 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | destroy 20 | restart 21 | destroy 22 | 23 | 24 | 25 | 26 | 27 | /usr/bin/qemu-system-x86_64 28 | 29 | 30 |

31 | 32 | 33 | 34 | 35 | 36 |

37 | 38 | 39 | 40 | 41 | 42 | 43 |

44 | 45 | 46 | /dev/urandom 47 |

48 | 49 | 50 | 51 | -------------------------------------------------------------------------------- /nginx/README.md: -------------------------------------------------------------------------------- 1 | # nginx appliance 2 | 3 | This appliance is a small immutable nginx routing webserver. 4 | It typically doesn't host any files (although it can), instead 5 | it just terminates SSL and forwards connections to the appropriate hosts 6 | inside the network. 7 | 8 | In order to support Let's Encrypt certificates, the `sites-enabled` 9 | will have to forward the `/.well-known/acme-challenge/*` paths to 10 | the machine that controls the keys and can build a new appliance image. 11 | 12 | ``` 13 | location /.well-known/acme-challenge/ { 14 | proxy_pass http://safeboot:9090; 15 | } 16 | ``` 17 | 18 | 19 | To setup the SSL certs for individual domains, run: 20 | ``` 21 | certbot \ 22 | --config-dir local/etc/letsencrypt \ 23 | --logs-dir /tmp/certbot/logs \ 24 | --work-dir /tmp/certbot \ 25 | certonly \ 26 | --standalone \ 27 | --http-01-port 9090 \ 28 | --https-port 9443 \ 29 | -d host.example.com 30 | ``` 31 | 32 | For a wild card domain (which will require setting dns records): 33 | ``` 34 | certbot \ 35 | --config-dir local/etc/letsencrypt \ 36 | --logs-dir /tmp/certbot/logs \ 37 | --work-dir /tmp/certbot \ 38 | certonly \ 39 | --manual \ 40 | --preferred-challenges dns-01 \ 41 | --manual-public-ip-logging-ok \ 42 | -d '*.example.com' \ 43 | -d 'example.com' 44 | ``` 45 | 46 | To renew: 47 | ``` 48 | certbot \ 49 | --config-dir local/etc/letsencrypt \ 50 | --logs-dir /tmp/certbot/logs \ 51 | --work-dir /tmp/certbot \ 52 | renew 53 | ``` 54 | 55 | and then rebuild the nginx image. 56 | -------------------------------------------------------------------------------- /nginx/etc/nginx/index.html: -------------------------------------------------------------------------------- 1 | 2 |

nginx appliance works

3 | If you're seeing this, then you should probably rebuild the configuration. 4 | 5 | -------------------------------------------------------------------------------- /nginx/etc/nginx/mime.types: -------------------------------------------------------------------------------- 1 | 2 | types { 3 | text/html html htm shtml; 4 | text/css css; 5 | text/xml xml; 6 | image/gif gif; 7 | image/jpeg jpeg jpg; 8 | application/javascript js; 9 | application/atom+xml atom; 10 | application/rss+xml rss; 11 | 12 | text/mathml mml; 13 | text/plain txt; 14 | text/vnd.sun.j2me.app-descriptor jad; 15 | text/vnd.wap.wml wml; 16 | text/x-component htc; 17 | 18 | image/png png; 19 | image/tiff tif tiff; 20 | image/vnd.wap.wbmp wbmp; 21 | image/x-icon ico; 22 | image/x-jng jng; 23 | image/x-ms-bmp bmp; 24 | image/svg+xml svg svgz; 25 | image/webp webp; 26 | 27 | application/font-woff woff; 28 | application/java-archive jar war ear; 29 | application/json json; 30 | application/mac-binhex40 hqx; 31 | application/msword doc; 32 | application/pdf pdf; 33 | application/postscript ps eps ai; 34 | application/rtf rtf; 35 | application/vnd.apple.mpegurl m3u8; 36 | application/vnd.ms-excel xls; 37 | application/vnd.ms-fontobject eot; 38 | application/vnd.ms-powerpoint ppt; 39 | application/vnd.wap.wmlc wmlc; 40 | application/vnd.google-earth.kml+xml kml; 41 | application/vnd.google-earth.kmz kmz; 42 | application/x-7z-compressed 7z; 43 | application/x-cocoa cco; 44 | application/x-java-archive-diff jardiff; 45 | application/x-java-jnlp-file jnlp; 46 | application/x-makeself run; 47 | application/x-perl pl pm; 48 | application/x-pilot prc pdb; 49 | application/x-rar-compressed rar; 50 | application/x-redhat-package-manager rpm; 51 | application/x-sea sea; 52 | application/x-shockwave-flash swf; 53 | application/x-stuffit sit; 54 | application/x-tcl tcl tk; 55 | application/x-x509-ca-cert der pem crt; 56 | application/x-xpinstall xpi; 57 | application/xhtml+xml xhtml; 58 | application/xspf+xml xspf; 59 | application/zip zip; 60 | 61 | application/octet-stream bin exe dll; 62 | application/octet-stream deb; 63 | application/octet-stream dmg; 64 | application/octet-stream iso img; 65 | application/octet-stream msi msp msm; 66 | 67 | application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; 68 | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; 69 | application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; 70 | 71 | audio/midi mid midi kar; 72 | audio/mpeg mp3; 73 | audio/ogg ogg; 74 | audio/x-m4a m4a; 75 | audio/x-realaudio ra; 76 | 77 | video/3gpp 3gpp 3gp; 78 | video/mp2t ts; 79 | video/mp4 mp4; 80 | video/mpeg mpeg mpg; 81 | video/quicktime mov; 82 | video/webm webm; 83 | video/x-flv flv; 84 | video/x-m4v m4v; 85 | video/x-mng mng; 86 | video/x-ms-asf asx asf; 87 | video/x-ms-wmv wmv; 88 | video/x-msvideo avi; 89 | } 90 | -------------------------------------------------------------------------------- /nginx/etc/nginx/nginx.conf: -------------------------------------------------------------------------------- 1 | user www-data; 2 | worker_processes auto; 3 | pid /run/nginx.pid; 4 | include /etc/nginx/modules-enabled/*.conf; 5 | 6 | events { 7 | worker_connections 768; 8 | # multi_accept on; 9 | } 10 | 11 | http { 12 | 13 | ## 14 | # Basic Settings 15 | ## 16 | 17 | sendfile on; 18 | tcp_nopush on; 19 | tcp_nodelay on; 20 | keepalive_timeout 65; 21 | types_hash_max_size 2048; 22 | # server_tokens off; 23 | 24 | server_names_hash_bucket_size 64; 25 | # server_name_in_redirect off; 26 | 27 | include /etc/nginx/mime.types; 28 | default_type application/octet-stream; 29 | 30 | ## 31 | # SSL Settings 32 | ## 33 | 34 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE 35 | ssl_prefer_server_ciphers on; 36 | 37 | ## 38 | # Logging Settings 39 | ## 40 | 41 | access_log syslog:server=localhost; 42 | error_log syslog:server=localhost; 43 | 44 | ## 45 | # Gzip Settings 46 | ## 47 | 48 | gzip on; 49 | 50 | # gzip_vary on; 51 | # gzip_proxied any; 52 | # gzip_comp_level 6; 53 | # gzip_buffers 16 8k; 54 | # gzip_http_version 1.1; 55 | # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; 56 | 57 | ## 58 | # Virtual Host Configs 59 | ## 60 | 61 | include /etc/nginx/conf.d/*.conf; 62 | include /etc/nginx/sites-enabled/*; 63 | } 64 | 65 | 66 | #mail { 67 | # # See sample authentication script at: 68 | # # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript 69 | # 70 | # # auth_http localhost/auth.php; 71 | # # pop3_capabilities "TOP" "USER"; 72 | # # imap_capabilities "IMAP4rev1" "UIDPLUS"; 73 | # 74 | # server { 75 | # listen localhost:110; 76 | # protocol pop3; 77 | # proxy on; 78 | # } 79 | # 80 | # server { 81 | # listen localhost:143; 82 | # protocol imap; 83 | # proxy on; 84 | # } 85 | #} 86 | -------------------------------------------------------------------------------- /nginx/initrd.config: -------------------------------------------------------------------------------- 1 | # nginx stuff 2 | mkdir /etc/nginx 3 | mkdir /run/www-data 4 | mkdir /var/log/nginx 5 | mkdir /var/lib/nginx 6 | mkdir /var/cache/nginx 7 | mkdir /etc/nginx/conf.d 8 | mkdir /etc/nginx/sites-enabled 9 | mkdir /usr/lib/nginx/modules 10 | mkdir /usr/share/nginx/modules 11 | 12 | # don't let it log to disk 13 | symlink var/log/nginx/error.log /dev/console 14 | symlink var/log/nginx/access.log /dev/console 15 | 16 | # some default configurations 17 | etc/nginx/ /etc/nginx 18 | 19 | /usr/sbin/nginx 20 | exec /init.d/S20-nginx /bin/nginx 21 | 22 | # recursively copy over the user's nginx configuration 23 | # and letsencrypt keys. 24 | ../local/etc/nginx/ /etc/nginx 25 | -../local/etc/letsencrypt/live/ /etc/letsencrypt/live/ 26 | -../local/etc/letsencrypt/options-ssl-nginx.conf /etc/letsencrypt/ 27 | -../local/etc/letsencrypt/ssl-dhparams.pem /etc/letsencrypt/ 28 | 29 | #etc/nginx/nginx.conf etc/nginx/ 30 | #etc/nginx/mime.types etc/nginx/ 31 | #etc/nginx/sites-enabled/default etc/nginx/sites-enabled/ 32 | #etc/nginx/index.html var/www/html/ 33 | 34 | # hardcoded list for now from nginx-extras and nginx-full 35 | #/usr/share/nginx/modules/ndk_http_module.so /usr/share/nginx/modules 36 | #/usr/share/nginx/modules/ngx_http_auth_pam_module.so /usr/share/nginx/modules 37 | #/usr/share/nginx/modules/ngx_http_cache_purge_module.so /usr/share/nginx/modules 38 | #/usr/share/nginx/modules/ngx_http_dav_ext_module.so /usr/share/nginx/modules 39 | #/usr/share/nginx/modules/ngx_http_echo_module.so /usr/share/nginx/modules 40 | #/usr/share/nginx/modules/ngx_http_fancyindex_module.so /usr/share/nginx/modules 41 | #/usr/share/nginx/modules/ngx_http_geoip2_module.so /usr/share/nginx/modules 42 | #/usr/share/nginx/modules/ngx_http_geoip_module.so /usr/share/nginx/modules 43 | #/usr/share/nginx/modules/ngx_http_headers_more_filter_module.so /usr/share/nginx/modules 44 | #/usr/share/nginx/modules/ngx_http_image_filter_module.so /usr/share/nginx/modules 45 | #/usr/share/nginx/modules/ngx_http_lua_module.so /usr/share/nginx/modules 46 | #/usr/share/nginx/modules/ngx_http_perl_module.so /usr/share/nginx/modules 47 | #/usr/share/nginx/modules/ngx_http_subs_filter_module.so /usr/share/nginx/modules 48 | #/usr/share/nginx/modules/ngx_http_uploadprogress_module.so /usr/share/nginx/modules 49 | #/usr/share/nginx/modules/ngx_http_upstream_fair_module.so /usr/share/nginx/modules 50 | #/usr/share/nginx/modules/ngx_http_xslt_filter_module.so /usr/share/nginx/modules 51 | #/usr/share/nginx/modules/ngx_mail_module.so /usr/share/nginx/modules 52 | #/usr/share/nginx/modules/ngx_nchan_module.so /usr/share/nginx/modules 53 | #/usr/share/nginx/modules/ngx_stream_module.so /usr/share/nginx/modules 54 | 55 | -------------------------------------------------------------------------------- /shell/initrd.config: -------------------------------------------------------------------------------- 1 | # after everything else, startup the shell with job control enabled 2 | exec /init.d/S30-shell /bin/setsid -c /bin/bash 3 | 4 | # core utils 5 | /bin/bash 6 | symlink bash bin/sh 7 | /usr/bin/mount 8 | /usr/bin/umount 9 | /usr/bin/cp 10 | /usr/bin/mv 11 | /usr/bin/cmp 12 | /usr/bin/ls 13 | /usr/bin/cat 14 | /usr/bin/echo 15 | /usr/bin/head 16 | /usr/bin/tail 17 | /usr/bin/mkdir 18 | /usr/bin/setsid 19 | /usr/bin/dd 20 | /usr/bin/dirname 21 | /usr/bin/grep 22 | /usr/bin/xxd 23 | /usr/bin/mktemp 24 | /usr/bin/date 25 | /usr/bin/printf 26 | /usr/bin/rm 27 | /usr/bin/sleep 28 | /usr/bin/tar 29 | /usr/bin/cpio 30 | /usr/bin/gzip 31 | 32 | # disk management 33 | /sbin/fdisk 34 | /sbin/mkfs.ext4 35 | /sbin/mkfs.vfat 36 | /sbin/fsck.vfat 37 | /usr/sbin/losetup 38 | 39 | # networking stuff 40 | /usr/bin/openssl 41 | /usr/bin/curl 42 | /usr/bin/ping 43 | /usr/bin/nc 44 | /usr/sbin/ifconfig 45 | /usr/sbin/route 46 | #/usr/bin/efibootmgr 47 | 48 | # cryptdisk setup 49 | /sbin/cryptsetup 50 | /sbin/dmsetup 51 | /sbin/lvm 52 | 53 | # inventory collection 54 | /usr/sbin/dmidecode 55 | /usr/bin/lshw 56 | -------------------------------------------------------------------------------- /syslogd/README.md: -------------------------------------------------------------------------------- 1 | To run the receiving side: 2 | ``` 3 | echo '*.* /dev/tty' > syslog-sink.conf 4 | ./syslogd \ 5 | -a '*:*' \ 6 | -d \ 7 | -b :9999 \ 8 | -p /tmp/syslog2 \ 9 | -f syslog-sink.conf \ 10 | -K 11 | ``` 12 | -------------------------------------------------------------------------------- /syslogd/etc/services: -------------------------------------------------------------------------------- 1 | # Network services, Internet style 2 | # 3 | # Note that it is presently the policy of IANA to assign a single well-known 4 | # port number for both TCP and UDP; hence, officially ports have two entries 5 | # even if the protocol doesn't support UDP operations. 6 | # 7 | # Updated from https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml . 8 | # 9 | # New ports will be added on request if they have been officially assigned 10 | # by IANA and used in the real-world or are needed by a debian package. 11 | # If you need a huge list of used numbers please install the nmap package. 12 | 13 | tcpmux 1/tcp # TCP port service multiplexer 14 | echo 7/tcp 15 | echo 7/udp 16 | discard 9/tcp sink null 17 | discard 9/udp sink null 18 | systat 11/tcp users 19 | daytime 13/tcp 20 | daytime 13/udp 21 | netstat 15/tcp 22 | qotd 17/tcp quote 23 | chargen 19/tcp ttytst source 24 | chargen 19/udp ttytst source 25 | ftp-data 20/tcp 26 | ftp 21/tcp 27 | fsp 21/udp fspd 28 | ssh 22/tcp # SSH Remote Login Protocol 29 | telnet 23/tcp 30 | smtp 25/tcp mail 31 | time 37/tcp timserver 32 | time 37/udp timserver 33 | whois 43/tcp nicname 34 | tacacs 49/tcp # Login Host Protocol (TACACS) 35 | tacacs 49/udp 36 | domain 53/tcp # Domain Name Server 37 | domain 53/udp 38 | bootps 67/udp 39 | bootpc 68/udp 40 | tftp 69/udp 41 | gopher 70/tcp # Internet Gopher 42 | finger 79/tcp 43 | http 80/tcp www # WorldWideWeb HTTP 44 | kerberos 88/tcp kerberos5 krb5 kerberos-sec # Kerberos v5 45 | kerberos 88/udp kerberos5 krb5 kerberos-sec # Kerberos v5 46 | iso-tsap 102/tcp tsap # part of ISODE 47 | acr-nema 104/tcp dicom # Digital Imag. & Comm. 300 48 | pop3 110/tcp pop-3 # POP version 3 49 | sunrpc 111/tcp portmapper # RPC 4.0 portmapper 50 | sunrpc 111/udp portmapper 51 | auth 113/tcp authentication tap ident 52 | nntp 119/tcp readnews untp # USENET News Transfer Protocol 53 | ntp 123/udp # Network Time Protocol 54 | epmap 135/tcp loc-srv # DCE endpoint resolution 55 | netbios-ns 137/tcp # NETBIOS Name Service 56 | netbios-ns 137/udp 57 | netbios-dgm 138/tcp # NETBIOS Datagram Service 58 | netbios-dgm 138/udp 59 | netbios-ssn 139/tcp # NETBIOS session service 60 | netbios-ssn 139/udp 61 | imap2 143/tcp imap # Interim Mail Access P 2 and 4 62 | snmp 161/tcp # Simple Net Mgmt Protocol 63 | snmp 161/udp 64 | snmp-trap 162/tcp snmptrap # Traps for SNMP 65 | snmp-trap 162/udp snmptrap 66 | cmip-man 163/tcp # ISO mgmt over IP (CMOT) 67 | cmip-man 163/udp 68 | cmip-agent 164/tcp 69 | cmip-agent 164/udp 70 | mailq 174/tcp # Mailer transport queue for Zmailer 71 | xdmcp 177/udp # X Display Manager Control Protocol 72 | bgp 179/tcp # Border Gateway Protocol 73 | smux 199/tcp # SNMP Unix Multiplexer 74 | qmtp 209/tcp # Quick Mail Transfer Protocol 75 | z3950 210/tcp wais # NISO Z39.50 database 76 | ipx 213/udp # IPX [RFC1234] 77 | ptp-event 319/udp 78 | ptp-general 320/udp 79 | pawserv 345/tcp # Perf Analysis Workbench 80 | zserv 346/tcp # Zebra server 81 | rpc2portmap 369/tcp 82 | rpc2portmap 369/udp # Coda portmapper 83 | codaauth2 370/tcp 84 | codaauth2 370/udp # Coda authentication server 85 | clearcase 371/udp Clearcase 86 | ldap 389/tcp # Lightweight Directory Access Protocol 87 | ldap 389/udp 88 | svrloc 427/tcp # Server Location 89 | svrloc 427/udp 90 | https 443/tcp # http protocol over TLS/SSL 91 | snpp 444/tcp # Simple Network Paging Protocol 92 | microsoft-ds 445/tcp # Microsoft Naked CIFS 93 | microsoft-ds 445/udp 94 | kpasswd 464/tcp 95 | kpasswd 464/udp 96 | submissions 465/tcp ssmtp smtps urd # Submission over TLS [RFC8314] 97 | saft 487/tcp # Simple Asynchronous File Transfer 98 | isakmp 500/udp # IPSEC key management 99 | rtsp 554/tcp # Real Time Stream Control Protocol 100 | rtsp 554/udp 101 | nqs 607/tcp # Network Queuing system 102 | asf-rmcp 623/udp # ASF Remote Management and Control Protocol 103 | qmqp 628/tcp 104 | ipp 631/tcp # Internet Printing Protocol 105 | # 106 | # UNIX specific services 107 | # 108 | exec 512/tcp 109 | biff 512/udp comsat 110 | login 513/tcp 111 | who 513/udp whod 112 | shell 514/tcp cmd syslog # no passwords used 113 | syslog 514/udp 114 | printer 515/tcp spooler # line printer spooler 115 | talk 517/udp 116 | ntalk 518/udp 117 | route 520/udp router routed # RIP 118 | gdomap 538/tcp # GNUstep distributed objects 119 | gdomap 538/udp 120 | uucp 540/tcp uucpd # uucp daemon 121 | klogin 543/tcp # Kerberized `rlogin' (v5) 122 | kshell 544/tcp krcmd # Kerberized `rsh' (v5) 123 | dhcpv6-client 546/udp 124 | dhcpv6-server 547/udp 125 | afpovertcp 548/tcp # AFP over TCP 126 | nntps 563/tcp snntp # NNTP over SSL 127 | submission 587/tcp # Submission [RFC4409] 128 | ldaps 636/tcp # LDAP over SSL 129 | ldaps 636/udp 130 | tinc 655/tcp # tinc control port 131 | tinc 655/udp 132 | silc 706/tcp 133 | kerberos-adm 749/tcp # Kerberos `kadmin' (v5) 134 | # 135 | domain-s 853/tcp # DNS over TLS [RFC7858] 136 | domain-s 853/udp # DNS over DTLS [RFC8094] 137 | rsync 873/tcp 138 | ftps-data 989/tcp # FTP over SSL (data) 139 | ftps 990/tcp 140 | telnets 992/tcp # Telnet over SSL 141 | imaps 993/tcp # IMAP over SSL 142 | pop3s 995/tcp # POP-3 over SSL 143 | # 144 | # From ``Assigned Numbers'': 145 | # 146 | #> The Registered Ports are not controlled by the IANA and on most systems 147 | #> can be used by ordinary user processes or programs executed by ordinary 148 | #> users. 149 | # 150 | #> Ports are used in the TCP [45,106] to name the ends of logical 151 | #> connections which carry long term conversations. For the purpose of 152 | #> providing services to unknown callers, a service contact port is 153 | #> defined. This list specifies the port used by the server process as its 154 | #> contact port. While the IANA can not control uses of these ports it 155 | #> does register or list uses of these ports as a convienence to the 156 | #> community. 157 | # 158 | socks 1080/tcp # socks proxy server 159 | proofd 1093/tcp 160 | rootd 1094/tcp 161 | openvpn 1194/tcp 162 | openvpn 1194/udp 163 | rmiregistry 1099/tcp # Java RMI Registry 164 | lotusnote 1352/tcp lotusnotes # Lotus Note 165 | ms-sql-s 1433/tcp # Microsoft SQL Server 166 | ms-sql-s 1433/udp 167 | ms-sql-m 1434/tcp # Microsoft SQL Monitor 168 | ms-sql-m 1434/udp 169 | ingreslock 1524/tcp 170 | datametrics 1645/tcp old-radius 171 | datametrics 1645/udp old-radius 172 | sa-msg-port 1646/tcp old-radacct 173 | sa-msg-port 1646/udp old-radacct 174 | kermit 1649/tcp 175 | groupwise 1677/tcp 176 | l2f 1701/udp l2tp 177 | radius 1812/tcp 178 | radius 1812/udp 179 | radius-acct 1813/tcp radacct # Radius Accounting 180 | radius-acct 1813/udp radacct 181 | cisco-sccp 2000/tcp # Cisco SCCP 182 | nfs 2049/tcp # Network File System 183 | nfs 2049/udp # Network File System 184 | gnunet 2086/tcp 185 | gnunet 2086/udp 186 | rtcm-sc104 2101/tcp # RTCM SC-104 IANA 1/29/99 187 | rtcm-sc104 2101/udp 188 | gsigatekeeper 2119/tcp 189 | gris 2135/tcp # Grid Resource Information Server 190 | cvspserver 2401/tcp # CVS client/server operations 191 | venus 2430/tcp # codacon port 192 | venus 2430/udp # Venus callback/wbc interface 193 | venus-se 2431/tcp # tcp side effects 194 | venus-se 2431/udp # udp sftp side effect 195 | codasrv 2432/tcp # not used 196 | codasrv 2432/udp # server port 197 | codasrv-se 2433/tcp # tcp side effects 198 | codasrv-se 2433/udp # udp sftp side effect 199 | mon 2583/tcp # MON traps 200 | mon 2583/udp 201 | dict 2628/tcp # Dictionary server 202 | f5-globalsite 2792/tcp 203 | gsiftp 2811/tcp 204 | gpsd 2947/tcp 205 | gds-db 3050/tcp gds_db # InterBase server 206 | icpv2 3130/tcp icp # Internet Cache Protocol 207 | icpv2 3130/udp icp 208 | isns 3205/tcp # iSNS Server Port 209 | isns 3205/udp # iSNS Server Port 210 | iscsi-target 3260/tcp 211 | mysql 3306/tcp 212 | ms-wbt-server 3389/tcp 213 | nut 3493/tcp # Network UPS Tools 214 | nut 3493/udp 215 | distcc 3632/tcp # distributed compiler 216 | distcc 3632/udp 217 | daap 3689/tcp # Digital Audio Access Protocol 218 | daap 3689/udp 219 | svn 3690/tcp subversion # Subversion protocol 220 | svn 3690/udp subversion 221 | suucp 4031/tcp # UUCP over SSL 222 | suucp 4031/udp 223 | sysrqd 4094/tcp # sysrq daemon 224 | sysrqd 4094/udp 225 | sieve 4190/tcp # ManageSieve Protocol 226 | epmd 4369/tcp # Erlang Port Mapper Daemon 227 | epmd 4369/udp 228 | remctl 4373/tcp # Remote Authenticated Command Service 229 | remctl 4373/udp 230 | f5-iquery 4353/tcp # F5 iQuery 231 | f5-iquery 4353/udp 232 | ipsec-nat-t 4500/udp # IPsec NAT-Traversal [RFC3947] 233 | iax 4569/tcp # Inter-Asterisk eXchange 234 | iax 4569/udp 235 | mtn 4691/tcp # monotone Netsync Protocol 236 | mtn 4691/udp 237 | radmin-port 4899/tcp # RAdmin Port 238 | radmin-port 4899/udp 239 | sip 5060/tcp # Session Initiation Protocol 240 | sip 5060/udp 241 | sip-tls 5061/tcp 242 | sip-tls 5061/udp 243 | xmpp-client 5222/tcp jabber-client # Jabber Client Connection 244 | xmpp-server 5269/tcp jabber-server # Jabber Server Connection 245 | cfengine 5308/tcp 246 | mdns 5353/udp # Multicast DNS 247 | postgresql 5432/tcp postgres # PostgreSQL Database 248 | freeciv 5556/tcp rptp # Freeciv gameplay 249 | amqps 5671/tcp # AMQP protocol over TLS/SSL 250 | amqp 5672/tcp 251 | amqp 5672/udp 252 | amqp 5672/sctp 253 | x11 6000/tcp x11-0 # X Window System 254 | x11-1 6001/tcp 255 | x11-2 6002/tcp 256 | x11-3 6003/tcp 257 | x11-4 6004/tcp 258 | x11-5 6005/tcp 259 | x11-6 6006/tcp 260 | x11-7 6007/tcp 261 | gnutella-svc 6346/tcp # gnutella 262 | gnutella-svc 6346/udp 263 | gnutella-rtr 6347/tcp # gnutella 264 | gnutella-rtr 6347/udp 265 | sge-qmaster 6444/tcp sge_qmaster # Grid Engine Qmaster Service 266 | sge-execd 6445/tcp sge_execd # Grid Engine Execution Service 267 | mysql-proxy 6446/tcp # MySQL Proxy 268 | babel 6696/udp # Babel Routing Protocol 269 | ircs-u 6697/tcp # Internet Relay Chat via TLS/SSL 270 | afs3-fileserver 7000/tcp bbs # file server itself 271 | afs3-fileserver 7000/udp bbs 272 | afs3-callback 7001/tcp # callbacks to cache managers 273 | afs3-callback 7001/udp 274 | afs3-prserver 7002/tcp # users & groups database 275 | afs3-prserver 7002/udp 276 | afs3-vlserver 7003/tcp # volume location database 277 | afs3-vlserver 7003/udp 278 | afs3-kaserver 7004/tcp # AFS/Kerberos authentication 279 | afs3-kaserver 7004/udp 280 | afs3-volser 7005/tcp # volume managment server 281 | afs3-volser 7005/udp 282 | afs3-errors 7006/tcp # error interpretation service 283 | afs3-errors 7006/udp 284 | afs3-bos 7007/tcp # basic overseer process 285 | afs3-bos 7007/udp 286 | afs3-update 7008/tcp # server-to-server updater 287 | afs3-update 7008/udp 288 | afs3-rmtsys 7009/tcp # remote cache manager service 289 | afs3-rmtsys 7009/udp 290 | font-service 7100/tcp xfs # X Font Service 291 | http-alt 8080/tcp webcache # WWW caching service 292 | puppet 8140/tcp # The Puppet master service 293 | bacula-dir 9101/tcp # Bacula Director 294 | bacula-fd 9102/tcp # Bacula File Daemon 295 | bacula-sd 9103/tcp # Bacula Storage Daemon 296 | xmms2 9667/tcp # Cross-platform Music Multiplexing System 297 | nbd 10809/tcp # Linux Network Block Device 298 | zabbix-agent 10050/tcp # Zabbix Agent 299 | zabbix-trapper 10051/tcp # Zabbix Trapper 300 | amanda 10080/tcp # amanda backup services 301 | dicom 11112/tcp 302 | hkp 11371/tcp # OpenPGP HTTP Keyserver 303 | db-lsp 17500/tcp # Dropbox LanSync Protocol 304 | dcap 22125/tcp # dCache Access Protocol 305 | gsidcap 22128/tcp # GSI dCache Access Protocol 306 | wnn6 22273/tcp # wnn6 307 | 308 | # 309 | # Datagram Delivery Protocol services 310 | # 311 | rtmp 1/ddp # Routing Table Maintenance Protocol 312 | nbp 2/ddp # Name Binding Protocol 313 | echo 4/ddp # AppleTalk Echo Protocol 314 | zip 6/ddp # Zone Information Protocol 315 | 316 | #========================================================================= 317 | # The remaining port numbers are not as allocated by IANA. 318 | #========================================================================= 319 | 320 | # Kerberos (Project Athena/MIT) services 321 | kerberos4 750/udp kerberos-iv kdc # Kerberos (server) 322 | kerberos4 750/tcp kerberos-iv kdc 323 | kerberos-master 751/udp kerberos_master # Kerberos authentication 324 | kerberos-master 751/tcp 325 | passwd-server 752/udp passwd_server # Kerberos passwd server 326 | krb-prop 754/tcp krb_prop krb5_prop hprop # Kerberos slave propagation 327 | zephyr-srv 2102/udp # Zephyr server 328 | zephyr-clt 2103/udp # Zephyr serv-hm connection 329 | zephyr-hm 2104/udp # Zephyr hostmanager 330 | iprop 2121/tcp # incremental propagation 331 | supfilesrv 871/tcp # Software Upgrade Protocol server 332 | supfiledbg 1127/tcp # Software Upgrade Protocol debugging 333 | 334 | # 335 | # Services added for the Debian GNU/Linux distribution 336 | # 337 | poppassd 106/tcp # Eudora 338 | poppassd 106/udp 339 | moira-db 775/tcp moira_db # Moira database 340 | moira-update 777/tcp moira_update # Moira update protocol 341 | moira-ureg 779/udp moira_ureg # Moira user registration 342 | spamd 783/tcp # spamassassin daemon 343 | skkserv 1178/tcp # skk jisho server port 344 | predict 1210/udp # predict -- satellite tracking 345 | rmtcfg 1236/tcp # Gracilis Packeten remote config server 346 | xtel 1313/tcp # french minitel 347 | xtelw 1314/tcp # french minitel 348 | support 1529/tcp # GNATS 349 | cfinger 2003/tcp # GNU Finger 350 | frox 2121/tcp # frox: caching ftp proxy 351 | zebrasrv 2600/tcp # zebra service 352 | zebra 2601/tcp # zebra vty 353 | ripd 2602/tcp # ripd vty (zebra) 354 | ripngd 2603/tcp # ripngd vty (zebra) 355 | ospfd 2604/tcp # ospfd vty (zebra) 356 | bgpd 2605/tcp # bgpd vty (zebra) 357 | ospf6d 2606/tcp # ospf6d vty (zebra) 358 | ospfapi 2607/tcp # OSPF-API 359 | isisd 2608/tcp # ISISd vty (zebra) 360 | afbackup 2988/tcp # Afbackup system 361 | afbackup 2988/udp 362 | afmbackup 2989/tcp # Afmbackup system 363 | afmbackup 2989/udp 364 | fax 4557/tcp # FAX transmission service (old) 365 | hylafax 4559/tcp # HylaFAX client-server protocol (new) 366 | distmp3 4600/tcp # distmp3host daemon 367 | munin 4949/tcp lrrd # Munin 368 | enbd-cstatd 5051/tcp # ENBD client statd 369 | enbd-sstatd 5052/tcp # ENBD server statd 370 | pcrd 5151/tcp # PCR-1000 Daemon 371 | noclog 5354/tcp # noclogd with TCP (nocol) 372 | noclog 5354/udp # noclogd with UDP (nocol) 373 | hostmon 5355/tcp # hostmon uses TCP (nocol) 374 | hostmon 5355/udp # hostmon uses UDP (nocol) 375 | rplay 5555/udp # RPlay audio service 376 | nrpe 5666/tcp # Nagios Remote Plugin Executor 377 | nsca 5667/tcp # Nagios Agent - NSCA 378 | mrtd 5674/tcp # MRT Routing Daemon 379 | bgpsim 5675/tcp # MRT Routing Simulator 380 | canna 5680/tcp # cannaserver 381 | syslog-tls 6514/tcp # Syslog over TLS [RFC5425] 382 | sane-port 6566/tcp sane saned # SANE network scanner daemon 383 | ircd 6667/tcp # Internet Relay Chat 384 | zope-ftp 8021/tcp # zope management by ftp 385 | tproxy 8081/tcp # Transparent Proxy 386 | omniorb 8088/tcp # OmniORB 387 | omniorb 8088/udp 388 | clc-build-daemon 8990/tcp # Common lisp build daemon 389 | xinetd 9098/tcp 390 | mandelspawn 9359/udp mandelbrot # network mandelbrot 391 | git 9418/tcp # Git Version Control System 392 | zope 9673/tcp # zope server 393 | webmin 10000/tcp 394 | kamanda 10081/tcp # amanda backup services (Kerberos) 395 | amandaidx 10082/tcp # amanda backup services 396 | amidxtape 10083/tcp # amanda backup services 397 | smsqp 11201/tcp # Alamin SMS gateway 398 | smsqp 11201/udp 399 | xpilot 15345/tcp # XPilot Contact Port 400 | xpilot 15345/udp 401 | sgi-cmsd 17001/udp # Cluster membership services daemon 402 | sgi-crsd 17002/udp 403 | sgi-gcd 17003/udp # SGI Group membership daemon 404 | sgi-cad 17004/tcp # Cluster Admin daemon 405 | isdnlog 20011/tcp # isdn logging system 406 | isdnlog 20011/udp 407 | vboxd 20012/tcp # voice box system 408 | vboxd 20012/udp 409 | binkp 24554/tcp # binkp fidonet protocol 410 | asp 27374/tcp # Address Search Protocol 411 | asp 27374/udp 412 | csync2 30865/tcp # cluster synchronization tool 413 | dircproxy 57000/tcp # Detachable IRC Proxy 414 | tfido 60177/tcp # fidonet EMSI over telnet 415 | fido 60179/tcp # fidonet EMSI over TCP 416 | 417 | # Local services 418 | -------------------------------------------------------------------------------- /syslogd/etc/syslogd.conf: -------------------------------------------------------------------------------- 1 | *.* /dev/console 2 | *.* @safeboot:9999 ; RFC5424 3 | -------------------------------------------------------------------------------- /syslogd/initrd.config: -------------------------------------------------------------------------------- 1 | # syslogkd for logging to a remote host 2 | etc/services /etc 3 | etc/syslogd.conf /etc 4 | syslogd /bin 5 | exec /init.d/S01-syslog /bin/syslogd -f /etc/syslogd.conf 6 | -------------------------------------------------------------------------------- /syslogd/syslog-sink.conf: -------------------------------------------------------------------------------- 1 | *.* /dev/tty 2 | -------------------------------------------------------------------------------- /syslogd/syslogd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/osresearch/jumphost/e128a5a239f2a5c797ad1087cd2fcb58f2785a35/syslogd/syslogd --------------------------------------------------------------------------------