<?php
/**
* "System Health and Security Probe" is a program that runs periodically to
* investigate general system health and security problems and to send report
* emails to admins. It's designed to be used as part of RED SCARF Suite.
* It requires at least an abridged version of RED SCARF Suite and Postfix,
* installed and configured on a Debian server as described in the "Complete
* Guide to a Complete Linux Server". For more details, please see the
* "README.txt" file.
*
* Copyright (C) 2024 Double Bastion LLC <www.doublebastion.com>
*
* This file is part of "System Health and Security Probe".
*
* "System Health and Security Probe" is free software: you can redistribute
* it and/or modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation, either version 3 of the License,
* or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
/**** Edit each parameter value between double quotes ****/
/** Set the timespan in hours between two consecutive runs of the script (the "run interval"). **/
// IMPORTANT !!! The ban time in seconds set for every jail in '/etc/fail2ban/jail.local',
// must be greater than the run interval that you set below. Also, in '/etc/fail2ban/jail.local'
// it's necessary to specify a ban time for every jail, even for the jails that use the default ban
// time. Therefore, in every jail block a 'bantime' parameter (Eg.: bantime = 432000) should exist.
//
// IMPORTANT !!! If you change the run interval here, don't forget to change the cron job accordingly.
// To run the script every 8 hours, at 5 minutes past, the cron job should be:
// 5 */8 * * * php /srv/scripts/system-health-and-security-probe.php > /dev/null 2>&1
$time_in_hours = "8";
/** Set the database name, user and password (they shouldn't contain double quotes). **/
$db_name = "";
$db_user = "";
$db_password = "";
/** Set the sender's email address, the recipient's email address and the subject line, for the email reports. **/
// For multiple recipients write all the email addresses separated by comma, like this: $report_to = "admin1@example1.com,admin2@example2.info,admin3@example3.org".
$report_from = "";
$report_to = "";
$report_subject = "";
/** Set the log paths for the services monitored by Fail2ban. **/
// For WordPress, you can specify multiple log files, separated by commas, like this:
// wordpresslog = "/var/log/sites/example.com/access.log, /var/log/sites/secondsite.net/access.log, /var/log/sites/thirdsite.info/access.log
$phpmyadmin_log = "";
$mailman_log = "";
$dolibarr_log = "";
$phplist_log = "";
$roundcube_log = "";
$matomo_log = "";
$looladmin_log = "";
$postfix_admin_log = "";
$roundpin_log = "";
$mybb_log = "";
$friendica_log = "";
$redscarfsuite_panel_log = "";
$wordpress_log = "";
// The following are standard log paths. If you haven't changed them to some custom paths, leave them as they are.
$asterisk_log = "/var/log/asterisk/messages";
$bind_log = "/var/log/named/security.log";
$nextcloud_log = "/var/log/nextcloud/nextcloud.log";
$dovecot_log = "/var/log/mail.log";
$postfix_log = "/var/log/mail.log";
$postfix_sasl_log = "/var/log/mail.log";
$proftpd_log = "/var/log/proftpd/proftpd.log";
$sshd_log = "/var/log/auth.log";
$openvpn_log = "/var/log/openvpn/openvpn.log";
/** Set the threshold for the disk free space in kibibytes. **/
// If the free disk space becomes smaller than the threshold, it will be included in the email report as a system health problem. The default is 3145728 kibibytes (3 GiB).
$disk_threshold = "3145728";
/** Set the directory where the ClamAV antivirus will store the two periodic scan reports: 'clamav_mail_report' and 'clamav_nextcloud_report'. **/
// If you change the default directory, which is '/srv/scripts/detections', remember to enter the same directory in the two cronjobs that have to be set up, to tell ClamAV where
// to store the scan reports. When using the default directory (/srv/scripts/detections) the two cronjobs should look like this:
// 5 3 */3 * * cat /dev/null > /srv/scripts/detections/clamav_nextcloud_report && clamdscan --fdpass --quiet /var/www/cloud.example.com/data -l /srv/scripts/detections/clamav_nextcloud_report
// 40 3 */3 * * cat /dev/null > /srv/scripts/detections/clamav_mail_report && clamdscan --fdpass --quiet /var/vmail -l /srv/scripts/detections/clamav_mail_report
// The two sample cronjobs from above will first erase the previous detections in the '/srv/scripts/detections/clamav_nextcloud_report' and '/srv/scripts/detections/clamav_mail_report'
// files and then get ClamAV to scan the Nextcloud 'data' directory and 'vmail' directory and store the new detections in the mentioned files, at 3:05 a.m. and 3:40 a.m. respectively,
// once every three days. Adjust these cron jobs according to your needs.
$clamav_report_dir = "/srv/scripts/detections";
/** Set the backup directory where the current database will be saved when the number of rows of the 'bannedipstable' table will exceed 100000000. **/
// After the current database is saved, the oldest 5000000 records of the 'bannedipstable' table will be trimmed.
$backup_directory = "/srv/shas-probe-db-backup";
/** Specify if the script will send automatic abuse report emails to the Internet Service Providers (ISPs) of the offending IPs. **/
// The default is "no". If you want 'System Health and Security Proble' to automatically send the abuse report emails (also included in the periodic email report sent to the admin)
// to the ISPs of the offensing IPs, when the offending IPs have been banned more than once, each time the number of bans increases by 1, change "no" to "yes".
$automatic_emails_to_isp = "yes";
/** If the preceding "$automatic_emails_to_isp" parameter is set to "yes", specify the list of log parameters separated by commas, that you want to exclude from the automatic emails
sent to the Internet Service Providers of the offending IPs. You can take any log parameter from the "Set the log paths for the services monitored by Fail2ban." section from
above. **/
// If you list a log parameter below, the automatic abuse report emails will NOT be sent to the ISPs of the offending IPs that attacked the corresponding jail. It's recommended to
// list here all the log parameters for which the log entries may contain usernames for HTTP authentication or other sensitive data that you don't want included in emails
// automatically sent to ISPs. Thus, add or remove any log parameter to/from the list from below.
$excluded_jails = [$phpmyadmin_log, $wordpress_log, $roundcube_log, $dolibarr_log];
/** If the "$automatic_emails_to_isp" parameter from above is set to "yes", specify the list of IPs, separated by commas, that you want to exclude from the list of IPs for which the
abuse email will be automatically sent to the Internet Service Providers. **/
$excluded_ips = "";
/** If the "$automatic_emails_to_isp" parameter from above is set to "yes", specify the sysadmin name that will appear in the signature of the emails sent to ISPs. **/
// Eg: $sysadmin_name = "John";
$sysadmin_name = "";
/** If the "$automatic_emails_to_isp" parameter from above is set to "yes", specify if you want the recipient of the email reports (the "$report_to" address from above) to receive
copies of all the abuse reports sent to the ISPs of the offending IPs. **/
// The default is "no". If you want the "$report_to" address(es) to receive, in addition to the regular email reports, copies of the abuse reports sent to the ISPs of the IPs that
// attacked the server and have been banned more than once, change "no" to "yes".
$abuse_reports_to_admin = "yes";
?>