Skip to content

Instantly share code, notes, and snippets.

View RiFi2k's full-sized avatar

Reilly Lowery RiFi2k

42 followers · 1 following
View GitHub Profile
@RiFi2k
RiFi2k / nginx.conf.j2
Last active April 7, 2021 22:50
Trellis nginx.conf file to include setting the real IP from Cloudflare if you use their DNS and SSL certs - https://github.com/roots/trellis/blob/master/roles/nginx/templates/nginx.conf.j2
# {{ ansible_managed }}
# nginx Configuration File
# http://wiki.nginx.org/Configuration
# Run as a less privileged user for security reasons.
user {{ nginx_user }};
# How many worker threads to run;
# "auto" sets it to the number of CPU cores available in the system, and
@RiFi2k
RiFi2k / sysctl.conf
Last active November 19, 2020 03:29
Trellis high traffic tuning and security sysctl settings
# Kernel sysctl configuration file for Linux
#
# This file should be saved as /etc/sysctl.conf and can be activated using the command:
# sysctl -e -p /etc/sysctl.conf
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and sysctl.conf(5) for more details.
# ----------
# Credits:
# https://klaver.it/linux/sysctl.conf
# http://whatizee.blogspot.com/2015/02/webserverftpserver-sysctlconf-parameter.html
@RiFi2k
RiFi2k / ssh-hardening-defaults.yml
Created December 28, 2016 23:43
ssh-hardening/defaults/main.yml
# Documentation: https://roots.io/trellis/docs/security/
# Which components to generate the configuration files for.
# If remote machine doesn't have an SSH server then change the ssh_client_hardening to false.
ssh_client_hardening: true # SSH
ssh_server_hardening: true # SSHD
# Set to true if CBC for ciphers is required.
ssh_client_cbc_required: false # SSH
ssh_server_cbc_required: false # SSHD
@RiFi2k
RiFi2k / iptables.sh
Last active January 18, 2020 20:04
iptables-persistent rules
#!/bin/bash
#!/bin/bash
# forget old rules
iptables -F
iptables -X
iptables -Z
# set default policy to drop
iptables -P INPUT DROP
@RiFi2k
RiFi2k / firewall-script
Last active February 27, 2017 08:58
#!/bin/bash
# forget old rules
iptables -F
iptables -X
iptables -Z
# set default policy to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
@RiFi2k
RiFi2k / wp-file-permissions
Created March 6, 2017 23:47
find /install-path/ -type d -exec chmod 755 {} \;
find /install-path/ -type f -exec chmod 644 {} \;
chmod 400 wp-config.php
@RiFi2k
RiFi2k / iptables.openvpn
Last active July 18, 2019 22:32
Force all traffic through VPN tun, drop any traffic not headed through VPN to prevent DNS leaks. Assuming use of TUN-based routing and redirect-gateway OpenVPN client options.
# https://jamielinux.com/blog/force-all-network-traffic-through-openvpn-using-iptables/
# Force all traffic through VPN tun
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
@RiFi2k
RiFi2k / onchange.sh
Created March 12, 2017 02:30 — forked from senko/onchange.sh
Watch current directory and execute a command if anything in it changes
#!/bin/bash
#
# Watch current directory (recursively) for file changes, and execute
# a command when a file or directory is created, modified or deleted.
#
# Written by: Senko Rasic <[email protected]>
#
# Requires Linux, bash and inotifywait (from inotify-tools package).
#
# To avoid executing the command multiple times when a sequence of
@RiFi2k
RiFi2k / atom.settings
Last active March 13, 2017 21:42
automatic update by http://atom.io/packages/sync-settings
# Settings for Atom editor
@RiFi2k
RiFi2k / get_post_id_by_meta
Created April 5, 2017 00:12
if (!function_exists('get_post_id_by_meta_key_and_value')) {
function get_post_id_by_meta_key_and_value($key, $value) {
global $wpdb;
$meta = $wpdb->get_results("SELECT * FROM `".$wpdb->postmeta."` WHERE meta_key='".$wpdb->escape($key)."' AND meta_value='".$wpdb->escape($value)."'");
if (is_array($meta) && !empty($meta) && isset($meta[0])) {
$meta = $meta[0];
}
if (is_object($meta)) {
return $meta->post_id;