Both sides previous revision
Previous revision
Next revision
|
Previous revision
Next revision
Both sides next revision
|
internet:mail:mailcleaner_csf [2020/07/24 11:30] gcooper |
internet:mail:mailcleaner_csf [2021/02/08 09:14] gcooper |
| |
See also **[[networking:firewall:csf|ConfigServer Security & Firewall (CSF)]]** | See also **[[networking:firewall:csf|ConfigServer Security & Firewall (CSF)]]** |
| |
| See also **[[internet:mail:mailcleaner_ssl|MailCleaner LetsEncrypt Free SSL]]** |
| |
| **CSF CLI Commands**: https://wiki.centos-webpanel.com/csf-firewall-command-line |
| |
| **CSF Docs**: https://download.configserver.com/csf/readme.txt |
| |
**DDoS**: https://www.liquidweb.com/kb/basic-dosddos-mitigation-with-the-csf-firewall/ | **DDoS**: https://www.liquidweb.com/kb/basic-dosddos-mitigation-with-the-csf-firewall/ |
| |
<note>CSF and this howto are probably **most beneficial when using MailCleaner as a bastion host** with a public IP address. If you are running your MailCleaner privately behind a NAT firewall and port-forwarding, this may not be worth the trouble for you.</note> | <note>CSF and this howto are probably **most beneficial when using MailCleaner as a bastion host** with a public IP address. If you are running your MailCleaner privately behind a NAT firewall and port-forwarding, this may not be worth the trouble for you. If you build a MailCleaner cluster, you may want to implement CSF clustering as well.</note> |
| |
===== Disable MailCleaner Firewall ===== | ===== Disable MailCleaner Firewall ===== |
| |
<file> | <file> |
# We will use CSF for firewal, so exiting this script | # We will use CSF for firewall, so exiting this script |
logger "MailCleaner firewall disabled in /usr/mailcleaner/etc/init.d/firewall" | logger "MailCleaner firewall disabled in /usr/mailcleaner/etc/init.d/firewall" |
exit 0 | exit 0 |
/usr/mailcleaner/etc/init.d/firewall stop | /usr/mailcleaner/etc/init.d/firewall stop |
/usr/mailcleaner/etc/init.d/fail2ban stop | /usr/mailcleaner/etc/init.d/fail2ban stop |
systemctl stop firewalld.service && systemctl disable firewalld.service | systemctl disable firewalld.service |
systemctl stop fail2ban.service && systemctl disable fail2ban.service | systemctl disable fail2ban.service |
</file> | </file> |
| |
| |
<file> | <file> |
apt install webmin unzip ipset libwww-perl liblist-compare-perl \ | apt update && apt install webmin unzip ipset libwww-perl liblist-compare-perl \ |
liblwp-protocol-https-perl libio-socket-ssl-perl libcrypt-ssleay-perl \ | liblwp-protocol-https-perl libio-socket-ssl-perl libcrypt-ssleay-perl \ |
libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl libgd-graph-perl | libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl libgd-graph-perl |
| |
===== Configure Webmin ===== | ===== Configure Webmin ===== |
| |
| <note tip>Webmin provides a useful web interface to configure and manage CSF. It is definitely worth configuring, but is not required. I find that I prefer to use the CLI and VIM for initial configuration, then I use Webmin after that.</note> |
| |
**Admin URL**: https://ip.of.csf.host:10000/ | **Admin URL**: https://ip.of.csf.host:10000/ |
| |
**Webmin -> Webmin Configuration -> Webmin Modules -> From local file -> ''/etc/csf/csfwebmin.tgz'' -> Install Module** | **Webmin -> Webmin Configuration -> Webmin Modules -> From local file -> ''/etc/csf/csfwebmin.tgz'' -> Install Module** |
| |
| {{ :internet:mail:mailcleaner_webmin_csf.png?750 |Link to CSF Firewall in Webmin}} |
| |
===== Configure CSF ===== | ===== Configure CSF ===== |
<note warning>Leave ''TESTING = "1"'' near the top of ''csf.conf'' until you have the basic configuration done. Starting CSF and LFD with this setting will run a sanity check of your CSF configuration, but will not add any firewall rules.</note> | <note warning>Leave ''TESTING = "1"'' near the top of ''csf.conf'' until you have the basic configuration done. Starting CSF and LFD with this setting will run a sanity check of your CSF configuration, but will not add any firewall rules.</note> |
| |
<note important>When you are ready to activate the firewall, set ''TESTING = "1"'' then enable and start CSF and LFD as shown below.</note> | <note important>When you are ready to activate the firewall, set ''TESTING = "0"'' then enable and start CSF and LFD as shown below.</note> |
| |
Hosts to allow: | Hosts to allow: |
<file> | <file> |
vim /etc/csf/csf.allow | vim /etc/csf/csf.allow |
| </file> |
| |
| <file> |
| # Network where you manage your MailCleaner from |
| 10.0.0.0/24 # Management LAN |
| |
| # If you have a MailCleaner cluster server, allow it here |
| # MailCleaner Cluster Ports |
| tcp|in|d=22,3306_3307,5132|s=192.168.1.30 |
| tcp|out|d=22,3306_3307,5132|d=192.168.1.30 |
| udp|in|d=161|s=192.168.1.30 |
| udp|out|d=161|d=192.168.1.30 |
</file> | </file> |
| |
<file> | <file> |
vim /etc/csf/csf.ignore | vim /etc/csf/csf.ignore |
| </file> |
| <file> |
| |
| 10.0.0.0/24 # Management LAN |
| 192.168.1.30 # MailCleaner #2 |
</file> | </file> |
| |
<file> | <file> |
vim /etc/csf/csf.blocklists | vim /etc/csf/csf.blocklists |
| </file> |
| |
| <note warning>If you plan to enable a large number of blocklists, you should make sure to install/enable ''ipset'' (as documented on this page) and keep track of your system memory usage.</note> |
| |
| We uncomment (enable) the following lists: |
| |
| <file> |
| SPAMDROP |
| SPAMDROPV6 |
| SPAMEDROP |
| DSHIELD |
| TOR |
| HONEYPOT |
| CIARMY |
| BFB |
| MAXMIND |
| BDEALL |
| STOPFORUMSPAM |
| STOPFORUMSPAMV6 |
| GREENSNOW |
</file> | </file> |
| |
cmd:PrefTDaemon | cmd:PrefTDaemon |
cmd:StatsDaemon | cmd:StatsDaemon |
| cmd:MailWatch SQL |
| cmd:spamd child |
| |
pcmd:MailScanner: .* | pcmd:MailScanner: .* |
pcmd:/opt/clamav/sbin/clamd --config-file=/usr/mailcleaner/etc/clamav/clam.* | pcmd:/opt/clamav/sbin/clamd --config-file=/usr/mailcleaner/etc/clamav/clam.* |
| pcmd:/opt/clamav/bin/freshclam --user=clamav --config-file=/usr/mailcleaner/etc/clamav/freshclam.* |
pcmd:/opt/mysql5/bin/mysqld --defaults-file=/usr/mailcleaner/etc/mysql/my_.* | pcmd:/opt/mysql5/bin/mysqld --defaults-file=/usr/mailcleaner/etc/mysql/my_.* |
pcmd:/usr/local/bin/spamd --socketpath=/var/mailcleaner/spool/spamassassin/spamd.sock.* | pcmd:/usr/local/bin/spamd --socketpath=/var/mailcleaner/spool/spamassassin/spamd.sock.* |
CONNLIMIT_LOGGING = "1" | CONNLIMIT_LOGGING = "1" |
LF_ALERT_TO = "youradminaddress@yourdomain.tld" | LF_ALERT_TO = "youradminaddress@yourdomain.tld" |
| LF_ALERT_FROM = "yourvalidfromaddress@yourdomain.tld" |
LF_PERMBLOCK_COUNT = "3" | LF_PERMBLOCK_COUNT = "3" |
LF_NETBLOCK = "1" | LF_NETBLOCK = "1" |
| |
<file> | <file> |
csf -r && lfd -r | csf -ra |
</file> | </file> |
| |
LFD is the 'log file daemon'. It **monitors log files** looking for infractions and suspicious processes. LFD is a huge part of why CSF is so effective. | LFD is the 'log file daemon'. It **monitors log files** looking for infractions and suspicious processes. LFD is a huge part of why CSF is so effective. |
| |
<note warning>You will almost certainly need to edit ''csf.pignore'' to eliminate warnings from normal system processes. These processes can and will change over time with system updates and changes.</note> | <note warning>You will almost certainly need to edit ''csf.pignore'' to eliminate warnings from normal system processes, even though These processes can and will change over time with system updates and changes.</note> |
| |
The ''lfd.log'' will show you the processes it is concerned about: | The ''lfd.log'' will show you the processes it is concerned about: |