forked from openrport/openrport
-
Notifications
You must be signed in to change notification settings - Fork 0
/
rport.example.conf
308 lines (266 loc) · 14.1 KB
/
rport.example.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
#======================================================================================================================
# vim: softtabstop=2 shiftwidth=2 expandtab fenc=utf-8 spell spelllang=en cc=120
#======================================================================================================================
#
# FILE: rport.example.config
#
# DESCRIPTION: Configuration file for the rport client
#
# BUGS: https://github.com/openrport/openrport/issues
#
# HELP: https://github.com/openrport/openrport/blob/master/README.md
#
# COPYRIGHT: (c) 2020 by the CloudRadar Team,
#
# LICENSE: MIT
# ORGANIZATION: RealVNC Limited, Cambridge, United Kingdom (realvnc.com)
# CREATED: 10/10/2020
# UPDATED: 27/10/2022
# MAINTAINER: OpenRport, France, Lille
#======================================================================================================================
[client]
## rportd server address.
## Mandatory IP address and port divided by a colon.
server = "0.0.0.0:8080"
## list of fallback rportd servers to which the clients tries to connect
## if the above "main" server is not reachable.
#fallback_servers = ["fallback-a.example.com:9090","fallback-b.example.com:80"]
## if connected to a fallback server, try every interval to switch back to the main server.
#server_switchback_interval = '2m'
## fingerprint string to perform host-key validation against the server's public key.
## Highly recommended. Not using it is a big security risk.
## Alternatively, can also be specified via the environment variable RPORT_FINGERPRINT.
#fingerprint = "36:98:56:12:f3:dc:e5:8d:ac:96:48:23:b6:f0:42:15"
## Required client authentication credentials in the form: "<client-auth-id>:<password>".
## Alternatively, can also be specified via the environment variable RPORT_AUTH.
auth = "clientAuth1:1234"
## An optional HTTP CONNECT or SOCKS5 proxy which will be used to reach the rport server.
## Authentication can be specified inside the URL.
#proxy = "http://admin:[email protected]:8081"
## By default rport reads /etc/machine-id (Linux) or the ComputerSystemProduct UUID (Windows)
## to get a unique id for the client identification.
## NOTE: all history for a client is stored based on this id.
use_system_id = true
## An optional hard-coded client ID to better identify the client.
## If not set, a random id will be created that changes on every client start.
## That's why it's highly recommended to set it with a value that was generated on the first
## start or just set it on the very beginning. So on client restart all his history will be preserved.
## The server rejects connections on duplicated ids.
#id = "5616a70e-81a0-4eec-bab3-0861e3c88334"
## By default rport reads the local hostname to identify the system in a human-readable way.
use_hostname = true
## Optionally you can set a hard-coded name for the client.
## Useful if you use numeric ids to make client identification easier.
#name = "my_win_vm_1"
## A list of of tags and labels to give your clients attributes maintained in a separate file.
## See https://oss.openrport.io/advanced/attributes/
#attributes_file_path = "/var/lib/rport/client_attributes.(yaml|json|toml)"
#attributes_file_path = "C:\Program Files\rport\client_attributes.(yaml|json|toml)"
## Alternatively you can specify tags with the line below if {attributes_file_path} is not set.
#tags = ['win', 'server', 'vm']
## Optional remote connections tunneled through the server, each of which come in the form:
## <local-port>
## or
## <remote-port>:<local-port>
## or
## <remote-port>:<local-interface>:<local-port>
## Examples:
## 1) remotes = ['22']
## Makes the local port 22 available on a random port of the rport server.
## 2) remotes = ['2222:127.0.0.1:22'] or shorthand
## remotes = ['2222:22']
## Makes the local SSH port 22 available on port 2222 of the rport server.
## 3) remotes = ['9999:192.168.1.1:80']
## Makes the Port 80 of 192.168.1.1 available on port 9999 of the rport server.
## sharing <remote-host>:<remote-port> from the client to the server's <local-interface>:<local-port>.
## If not set, client connects without active tunnel(s) waiting for tunnels to be initialized by the server.
## Multiple remotes must be comma separated. Using linebreaks after the comma is possible.
#remotes = [
# '3389:3389',
# '5050'
#]
## By default the rport client can create tunnels to any network address.
## This way the so-called "service forwarding" can give access to entire networks.
## You can turn service forwarding off so tunnels must end on the local machine.
#tunnel_allowed = ['127.0.0.0/8']
## Alternatively to the above, you can explicitly allow which targets a tunnel is allowed to reach.
## By default, no limits are applied
## List items can be a single IP or CIDR specification allowing to reach all ports on the target
## or an IP address or a CIDR specification and a port separated by a colon.
## Using ':<PORT>' without IP address or CIDR is a shorthand for '127.0.0.0/8:<PORT>'
## Examples:
## Only RDP on localhost can be accessed
#tunnel_allowed = ['127.0.0.0/8:3389']
## Only SSH on localhost and SSH on 192.168.1.1 can be accessed.
#tunnel_allowed = [':22','192.168.1.1:22']
## Only HTTP on localhost, and RDP to any host on the 192.168.1.0/24 network, and all ports on 192.168.1.100 can be accessed.
#tunnel_allowed = [':80','192.168.1.0/24:3389','192.168.1.100']
## There is no technical requirement to run the rport client under the root user.
## Running it as root is an unnecessary security risk.
## Rport exits with an error if started as root unless you explicitly allow it.
## Defaults to false, ignored on Windows.
#allow_root = false
## Supervision and reporting of the pending updates (patch level)
## Rport can constantly summarize pending updates and
## make that summary available on the rport server.
## On Debian/Ubuntu and SuSE Linux sudo rules are needed.
## https://oss.openrport.io/advanced/supervising-update-status/
## How often after the rport client has started pending updates are summarized
## Set 0 to disable.
## Supported time units: h (hours), m (minutes)
## Default: updates_interval = '4h'
#updates_interval = '4h'
## An optional param to define a local directory path to store internal data.
## By default, "/var/lib/rport" is used on Linux or 'C:\Program Files\rport' on Windows.
## On Linux you must create this directory because an unprivileged user
## don't have the right to create a directory in /var/lib.
## Ideally this directory is the homedir of the rport user and has been created along with the user.
## Example: useradd -r -d /var/lib/rport -m -s /bin/false -U -c "System user for rport client and server" rport
#data_dir = "/var/lib/rport"
## An optional param specifying the local interface to be used for connecting to the server.
#bind_interface = "eth0"
## Determine the clients' external ipv4 and ipv6 addresses by fetching an API.
## See https://oss.openrport.io/advanced/ip-address-determination/
#ip_api_url = "https://myip.openrport.io"
## How often (in minutes) to refresh external IP addresses, default 30
#ip_refresh_min = 30
[connection]
## An optional keepalive interval. The client will send ping request at this interval.
## You must specify a time with a unit, for example '30s' or '2m'.
## Defaults to '3m', '0s' = disabled
#keep_alive = '3m'
## Timout for the above keep_alive after which the connections is considered disconnected.
## You must specify a time with a unit, for example '30s' or '2m'.
## Defaults to '30s'
#keep_alive_timeout = '30s'
## Maximum number of times to retry before exiting. Defaults to unlimited (-1)
#max_retry_count = 10
## Maximum wait time before retrying after a disconnection. Defaults to 5 minutes
#max_retry_interval = '5m'
## Write a state file to {data_dir}/state.json that can be evaluated by external watchdog implementations.
## On Linux this also enables the systemd watchdog integration by using the systemd notify socket.
## Requires max_retry_count = -1 and keep_alive > 0
## Read more https://oss.openrport.io/advanced/watchdog-integration/
## Disabled by default.
#watchdog_integration = false
## Optionally set the 'Host' header. Defaults to the host found in the server url
#hostname = "myvm1.lan"
## Other custom headers in the form "HeaderName: HeaderContent"
#headers = ['User-Agent: test1', 'Authorization: Basic XXXXXX']
[logging]
## Specifies log file path for global logging.
## Not setting "log_file" turns logging off.
#log_file = 'C:\Program Files\rport\rport.log'
log_file = "/var/log/rport/rport.log"
## Specify log level. Values: 'error', 'info', 'debug'.
## Defaults to 'info'
#log_level = "info"
[remote-commands]
## Enable or disable execution of remote commands sent by server.
## Defaults: true
#enabled = true
## Limit the maximum length of the command or script output that is sent back to server.
## Applies to the stdout and stderr separately.
## If exceeded {send_back_limit} bytes are sent.
## Defaults: 4M
#send_back_limit = 4194304
## Allow commands matching the following regular expressions.
## The filter is applied to the command sent. Full path must be used.
## See {order} parameter for more details how it's applied together with {deny}.
## Defaults: ['^/usr/bin/.*','^/usr/local/bin/.*','^C:\\Windows\\System32\\.*']
#allow = ['^/usr/bin/.*','^/usr/local/bin/.*','^C:\\Windows\\System32\\.*']
## Deny commands matching one of the following regular expressions.
## The filter is applied to the command sent. Full path must be used.
## See {order} parameter for more details how it's applied together with {allow}.
## With the below default filter only single commands are allowed.
## Defaults: ['(\||<|>|;|,|\n|&)']
#deny = ['(\||<|>|;|,|\n|&)']
## Order: ['allow','deny'] or ['deny','allow']. Order of which filter is applied first.
## Defaults: ['allow','deny']
##
## order: ['allow','deny']
## First, all allow directives are evaluated; at least one must match, or the command is rejected.
## Next, all deny directives are evaluated. If any matches, the command is rejected.
## Last, any commands which do not match an allow or a deny directive are denied by default.
## Example:
## allow: ['^/usr/bin/.*']
## deny: ['^/usr/bin/zip']
## All commands in /usr/bin except '/usr/bin/zip' can be executed. Full path must be used.
##
## order: ['deny','allow']
## First, all deny directives are evaluated; if any match,
## the command is denied UNLESS it also matches an allow directive.
## Any command which do not match any allow or deny directives are permitted.
## Example:
## deny: ['.*']
## allow: ['zip$']
## All commands are denied except those ending in zip.
##
#order = ['allow','deny']
[remote-scripts]
## Enable or disable execution of remote scripts sent by server.
## Defaults: false
#enabled = false
[monitoring]
## The rport client can collect and report performance data of the operating system.
## https://oss.openrport.io/advanced/monitoring/
## Monitoring is enabled by default
enabled = true
## How often (seconds) monitoring data should be collected.
## A value below 60 seconds will be overwritten by the hard-coded default of 60 seconds.
#interval = 60
## RPort monitors the fill level of almost all volumes or mount points.
## Change the below defaults to include or exclude volumes or mount points from the monitoring.
#fs_type_include = ['ext3','ext4','xfs','jfs','ntfs','btrfs','hfs','apfs','exfat','smbfs','nfs']
## List of excluded mount points or device letters
## Example:
# fs_path_exclude = ['/mnt/*','h:']
#fs_path_exclude = []
## Having fs_path_exclude_recurse = false the specified path
## must match a mountpoint or it will be ignored
## Having fs_path_exclude_recurse = true the specified path
## can be any folder and all mountpoints underneath will be excluded
#fs_path_exclude_recurse = false
## To avoid monitoring of so-called mount binds,
## mount points are identified by the path and device name.
## Mountpoints pointing to the same device are ignored.
## What appears first in /proc/self/mountinfo is considered as the original.
## Applies only to Linux
#fs_identify_mountpoints_by_device = true
## RPort monitors all running processes
## Process monitoring is enabled by default
pm_enabled = true
## Monitor kernel tasks identified by process group 0
#pm_enable_kerneltask_monitoring = true
## The process list is sorted by PID descending. Only the top N processes are monitored.
#pm_max_number_monitored_processes = 500
## Monitor the bandwidth usage of the following maximum two network cards:
## 'net_lan' and 'net_wan'.
## You must specify the device name and the maximum speed in Megabits.
## On Windows use 'Get-Netadapter' to discover adapter names.
## Examples:
## net_lan = [ 'eth0' , '1000' ]
## net_wan = ['Ethernet0', '1000']
#net_lan = ['', '1000']
#net_wan = ['', '1000']
[interpreter-aliases]
## For fast and unified script execution with different interpreters and shells,
## you can specify aliases. Instead of providing the full path to the shell,
## sending the alias is sufficient.
## https://oss.openrport.io/get-started/scripts/#customizing-an-interpreter
## Optionally you can also specify input and output encoding.
## If only one encoding is specified it will be used for both input and output.
## Examples:
# pwsh7 = 'C:\Program Files\PowerShell\7\pwsh.exe'
# pwsh7enc = ['C:\Program Files\PowerShell\7\pwsh.exe', 'windows-1252', 'cp437']
# bash = 'C:\Program Files\Git\bin\bash.exe'
[file-reception]
## Receive files pushed by the server, enabled by default
# enabled = true
## The rport client will reject writing files to any of the following folders and its sub folders.
## https://oss.openrport.io/advanced/file-reception/
## Wildcards (glob) are supported.
## Linux defaults
# protected = ['/bin', '/sbin', '/boot', '/usr/bin', '/usr/sbin', '/dev', '/lib*', '/run']
## Windows defaults
# protected = ['C:\Windows\', 'C:\ProgramData']