Differences

This shows you the differences between two versions of the page.

--- internet:mail:mailcleaner_csf [2020/07/24 11:47]
gcooper
+++ internet:mail:mailcleaner_csf [2021/08/03 12:33]
gcooper
@@ Line 4: / Line 4: @@
 See also **[[networking:firewall:csf|ConfigServer Security & Firewall (CSF)]]**
+See also **[[internet:mail:mailcleaner_ssl|MailCleaner LetsEncrypt Free SSL]]**
+**CSF CLI Commands**: https://wiki.centos-webpanel.com/csf-firewall-command-line
 **CSF Docs**: https://download.configserver.com/csf/readme.txt
@@ Line 9: / Line 13: @@
 **DDoS**: https://www.liquidweb.com/kb/basic-dosddos-mitigation-with-the-csf-firewall/
-<note>CSF and this howto are probably **most beneficial when using MailCleaner as a bastion host** with a public IP address.  If you are running your MailCleaner privately behind a NAT firewall and port-forwarding, this may not be worth the trouble for you.</note>
+<note>CSF and this howto are probably **most beneficial when using MailCleaner as a bastion host** with a public IP address.  If you are running your MailCleaner privately behind a NAT firewall and port-forwarding, this may not be worth the trouble for you.  If you build a MailCleaner cluster, you may want to implement CSF clustering as well.</note>
-===== Disable MailCleaner Firewall =====
+===== Disable Old Services =====
+==== Disable Firewall ====
 <file>
@@ Line 20: / Line 26: @@
 <file>
-# We will use CSF for firewal, so exiting this script
+# We will use CSF for firewall, so exiting this script
 logger "MailCleaner firewall disabled in /usr/mailcleaner/etc/init.d/firewall"
 exit 0
@@ Line 27: / Line 33: @@
 <file>
 /usr/mailcleaner/etc/init.d/firewall stop
+systemctl disable firewalld.service
+</file>
+==== Disable Fail2Ban ====
+<file>
+vim /usr/mailcleaner/etc/init.d/fail2ban
+</file>
+Add at the top below ''#! /bin/sh'' and the initial comments:
+<file>
+# We will use LFD for log file monitoring, so exiting this script
+logger "MailCleaner fail2ban disabled in /usr/mailcleaner/etc/init.d/fail2ban"
+exit 0
+</file>
+<file>
 /usr/mailcleaner/etc/init.d/fail2ban stop
-systemctl stop firewalld.service && systemctl disable firewalld.service
+systemctl disable fail2ban.service
-systemctl stop fail2ban.service && systemctl disable fail2ban.service
 </file>
@@ Line 40: / Line 63: @@
 <file>
-apt install webmin unzip ipset libwww-perl liblist-compare-perl \
+apt update && apt install webmin unzip ipset libwww-perl liblist-compare-perl \
 liblwp-protocol-https-perl libio-socket-ssl-perl libcrypt-ssleay-perl \
 libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl libgd-graph-perl
@@ Line 71: / Line 94: @@
 <note warning>Leave ''TESTING = "1"'' near the top of ''csf.conf'' until you have the basic configuration done.  Starting CSF and LFD with this setting will run a sanity check of your CSF configuration, but will not add any firewall rules.</note>
-<note important>When you are ready to activate the firewall, set ''TESTING = "1"'' then enable and start CSF and LFD as shown below.</note>
+<note important>When you are ready to activate the firewall, set ''TESTING = "0"'' then enable and start CSF and LFD as shown below.</note>
 Hosts to allow:
@@ Line 77: / Line 100: @@
 <file>
 vim /etc/csf/csf.allow
+</file>
+<file>
+# Network where you manage your MailCleaner from
+.0.0.0/24    # Management LAN
+# If you have a MailCleaner cluster server, allow it here
+# MailCleaner Cluster Ports
+tcp|in|d=22,3306_3307,5132|s=192.168.1.30
+tcp|out|d=22,3306_3307,5132|d=192.168.1.30
+udp|in|d=161|s=192.168.1.30
+udp|out|d=161|d=192.168.1.30
 </file>
@@ Line 83: / Line 118: @@
 <file>
 vim /etc/csf/csf.ignore
+</file>
+<file>
+.0.0.0/24      # Management LAN
+.168.1.30     # MailCleaner #2
 </file>
@@ Line 91: / Line 131: @@
 </file>
-Processes you want LFD to ignore:
+<note warning>If you plan to enable a large number of addresses, you should make sure to install/enable ''ipset'' (as documented on this page) and keep track of your system memory usage.</note>
-<file>
+We uncomment (enable) the following lists:
-vim /etc/csf/csf.pignore
-</file>
-Add these lines at the bottom:
 <file>
-cmd:/opt/apache2/bin/httpd -f /usr/mailcleaner/etc/apache/httpd.conf
+SPAMDROP
-cmd:/usr/bin/python /opt/greylistd/sbin/greylistd /usr/mailcleaner/etc/greylistd/greylistd.conf
+SPAMDROPV6
-cmd:SpamHandler
+SPAMEDROP
-cmd:PrefTDaemon
+DSHIELD
-cmd:StatsDaemon
+TOR
+HONEYPOT
-pcmd:MailScanner: .*
+CIARMY
-pcmd:/opt/clamav/sbin/clamd --config-file=/usr/mailcleaner/etc/clamav/clam.*
+BFB
-pcmd:/opt/mysql5/bin/mysqld --defaults-file=/usr/mailcleaner/etc/mysql/my_.*
+MAXMIND
-pcmd:/usr/local/bin/spamd --socketpath=/var/mailcleaner/spool/spamassassin/spamd.sock.*
+BDEALL
-pcmd:/usr/local/bin/newsld --socketpath=/var/mailcleaner/spool/newsld/newsld.sock.*
+STOPFORUMSPAM
-pcmd:/opt/exim4/bin/exim -C /usr/mailcleaner/etc/exim/exim_stage.*
+STOPFORUMSPAMV6
-pcmd:/opt/exim4/bin/exim -C /var/mailcleaner/spool/tmp/exim/exim_stage.*
+GREENSNOW
-pcmd:/opt/dcc/libexec/dccifd -h/opt/dcc/var.*
 </file>
@@ Line 146: / Line 181: @@
 CONNLIMIT_LOGGING = "1"
 LF_ALERT_TO = "youradminaddress@yourdomain.tld"
+LF_ALERT_FROM = "yourvalidfromaddress@yourdomain.tld"
 LF_PERMBLOCK_COUNT = "3"
 LF_NETBLOCK = "1"
@@ Line 195: / Line 231: @@
 </file>
-===== Start CSF and LFD =====
+===== Configure LFD =====
-Run this and check for obvious errors:
+LFD is the 'log file daemon'.  It **monitors log files** looking for infractions and suspicious processes.  LFD replaces, ''fail2ban'' in our use case.  LFD is a huge part of why CSF is so effective.
+<note warning>You will almost certainly need to edit ''csf.pignore'' to eliminate warnings from normal system processes, even though   These processes can and will change over time with system updates and changes.</note>
+The ''lfd.log'' will show you the processes it is concerned about:
 <file>
-csf -e && csf -s
+tail /var/log/lfd.log
-lfd -e && lfd -s
 </file>
-You can restart CSF and LFD like this:
+Processes you want LFD to ignore:
 <file>
-csf -r && lfd -r
+vim /etc/csf/csf.pignore
 </file>
-===== LFD =====
+Add these lines at the bottom:
-LFD is the 'log file daemon'.  It **monitors log files** looking for infractions and suspicious processes.  LFD is a huge part of why CSF is so effective.
+<file>
+cmd:/opt/apache2/bin/httpd -f /usr/mailcleaner/etc/apache/httpd.conf
+cmd:/usr/bin/python /opt/greylistd/sbin/greylistd /usr/mailcleaner/etc/greylistd/greylistd.conf
+cmd:SpamHandler
+cmd:PrefTDaemon
+cmd:StatsDaemon
+cmd:MailWatch SQL
+cmd:spamd child
-<note warning>You will almost certainly need to edit ''csf.pignore'' to eliminate warnings from normal system processes.  These processes can and will change over time with system updates and changes.</note>
+pcmd:MailScanner: .*
+pcmd:/opt/clamav/sbin/clamd --config-file=/usr/mailcleaner/etc/clamav/clam.*
+pcmd:/opt/clamav/bin/freshclam --user=clamav --config-file=/usr/mailcleaner/etc/clamav/freshclam.*
+pcmd:/opt/mysql5/bin/mysqld --defaults-file=/usr/mailcleaner/etc/mysql/my_.*
+pcmd:/usr/local/bin/spamd --socketpath=/var/mailcleaner/spool/spamassassin/spamd.sock.*
+pcmd:/usr/local/bin/newsld --socketpath=/var/mailcleaner/spool/newsld/newsld.sock.*
+pcmd:/opt/exim4/bin/exim -C /usr/mailcleaner/etc/exim/exim_stage.*
+pcmd:/opt/exim4/bin/exim -C /var/mailcleaner/spool/tmp/exim/exim_stage.*
+pcmd:/opt/dcc/libexec/dccifd -h/opt/dcc/var.*
+</file>
-The ''lfd.log'' will show you the processes it is concerned about:
+===== Start CSF and LFD =====
+Run this and check for obvious errors:
 <file>
-tail /var/log/lfd.log
+csf -e && csf -s
+lfd -e && lfd -s
+</file>
+You can restart CSF and LFD like this:
+<file>
+csf -ra
 </file>

Virtual Architects Support Wiki

User Tools

Site Tools

Differences

Page Tools