====== MailCleaner CSF Firewall ======

FIXME Unfinished

See also **[[networking:firewall:csf|ConfigServer Security & Firewall (CSF)]]**

See also **[[internet:mail:mailcleaner_ssl|MailCleaner LetsEncrypt Free SSL]]**

**CSF CLI Commands**: https://wiki.centos-webpanel.com/csf-firewall-command-line

**CSF Docs**: https://download.configserver.com/csf/readme.txt

**DDoS**: https://www.liquidweb.com/kb/basic-dosddos-mitigation-with-the-csf-firewall/

<note>CSF and this howto are probably **most beneficial when using MailCleaner as a bastion host** with a public IP address.  If you are running your MailCleaner privately behind a NAT firewall and port-forwarding, this may not be worth the trouble for you.  If you build a MailCleaner cluster, you may want to implement CSF clustering as well.</note>

===== Disable Old Services =====

<note warning>Has Mailcleaner changed and made this section inaccurate?</note>

==== Disable Firewall ====

<file>
vim /usr/mailcleaner/etc/init.d/firewall
</file>

Add at the top below ''#! /bin/sh'':

<file>
# We will use CSF for firewall, so exiting this script
logger "MailCleaner firewall disabled in /usr/mailcleaner/etc/init.d/firewall"
exit 0
</file>

<file>
/usr/mailcleaner/etc/init.d/firewall stop
systemctl disable firewalld.service
</file>

==== Disable Fail2Ban ====

<file>
vim /usr/mailcleaner/etc/init.d/fail2ban
</file>

Add at the top below ''#! /bin/sh'' and the initial comments:

<file>
# We will use LFD for log file monitoring, so exiting this script
logger "MailCleaner fail2ban disabled in /usr/mailcleaner/etc/init.d/fail2ban"
exit 0
</file>

<file>
/usr/mailcleaner/etc/init.d/fail2ban stop
systemctl disable fail2ban.service
</file>

===== Install CSF =====

<file>
echo -e "\n# Webmin\ndeb http://download.webmin.com/download/repository sarge contrib" >> /etc/apt/sources.list
wget -q http://www.webmin.com/jcameron-key.asc -O- | sudo apt-key add -
</file>

<file>
apt update && apt install webmin unzip ipset libwww-perl liblist-compare-perl \
liblwp-protocol-https-perl libio-socket-ssl-perl libcrypt-ssleay-perl \
libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl libgd-graph-perl
</file>

<file>
rm -fv csf.tgz && wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz && cd csf
sh install.sh
</file>

Test CSF:

<file>
perl /usr/local/csf/bin/csftest.pl
</file>

===== Configure Webmin =====

<note tip>Webmin provides a useful web interface to configure and manage CSF.  It is definitely worth configuring, but is not required.  I find that I prefer to use the CLI and VIM for initial configuration, then I use Webmin after that.</note>

**Admin URL**: https://ip.of.csf.host:10000/

**Webmin -> Webmin Configuration -> Webmin Modules -> From local file -> ''/etc/csf/csfwebmin.tgz'' -> Install Module**

{{ :internet:mail:mailcleaner_webmin_csf.png?750 |Link to CSF Firewall in Webmin}}

===== Configure CSF =====

<note warning>Leave ''TESTING = "1"'' near the top of ''csf.conf'' until you have the basic configuration done.  Starting CSF and LFD with this setting will run a sanity check of your CSF configuration, but will not add any firewall rules.</note>

<note important>When you are ready to activate the firewall, set ''TESTING = "0"'' then enable and start CSF and LFD as shown below.</note>

Hosts to allow:

<file>
vim /etc/csf/csf.allow
</file>

<file>
# Network where you manage your MailCleaner from
10.0.0.0/24    # Management LAN

# If you have a MailCleaner cluster server, allow it here
# MailCleaner Cluster Ports
tcp|in|d=22,3306_3307,5132|s=192.168.1.30
tcp|out|d=22,3306_3307,5132|d=192.168.1.30
udp|in|d=161|s=192.168.1.30
udp|out|d=161|d=192.168.1.30
</file>

Hosts for LFD to ignore:

<file>
vim /etc/csf/csf.ignore
</file>
<file>

10.0.0.0/24      # Management LAN
192.168.1.30     # MailCleaner #2
</file>

Pre-configured block lists of evildoers:

<file>
vim /etc/csf/csf.blocklists
</file>

<note warning>If you plan to enable a large number of addresses, you should make sure to install/enable ''ipset'' (as documented on this page) and keep track of your system memory usage.</note>

We uncomment (enable) the following lists:

<file>
SPAMDROP
SPAMDROPV6
SPAMEDROP
DSHIELD
TOR
HONEYPOT
CIARMY
BFB
MAXMIND
BDEALL
STOPFORUMSPAM
STOPFORUMSPAMV6
GREENSNOW
</file>

The main configuration file:

<file>
vim /etc/csf/csf.conf
</file>

**MailCleaner Firewall Doc**: https://support.mailcleaner.net/boards/3/topics/22-mailcleaner-network-configuration

Some settings to change from the defaults:

<file>
TCP_IN = "22,25,80,443"
TCP_OUT = "7,22,25,53,80,389,443,636,2703"
UDP_IN = ""
UDP_OUT = "53,113,123,6277,24441,33434:33523"

TCP6_IN = "22,25,80,443"
TCP6_OUT = "7,22,25,53,80,389,443,636,2703"
UDP6_IN = ""
UDP6_OUT = "53,113,123,6277,24441,33434:33523"

SYSLOG_CHECK = "600"
DENY_IP_LIMIT = "1000"
DENY_TEMP_IP_LIMIT = "1000"
LF_IPSET = "1"
SYNFLOOD = "1"
CONNLIMIT = "22;10,25;15,80;30,443;30,587;15,10000;30"
PORTFLOOD = "22;tcp;15;300,25;tcp;20;180,80;tcp;20;5,443;tcp;20;5,587;tcp;20;180,10000;tcp;20;5"
CONNLIMIT_LOGGING = "1"
LF_ALERT_TO = "youradminaddress@yourdomain.tld"
LF_ALERT_FROM = "yourvalidfromaddress@yourdomain.tld"
LF_PERMBLOCK_COUNT = "3"
LF_NETBLOCK = "1"
LF_NETBLOCK_COUNT = "3"
SAFECHAINUPDATE = "1"
DYNDNS = "600"
LF_TRIGGER = "3"
LF_TRIGGER_PERM = "300"
LF_TRIGGER = "0"
LF_SELECT = "0"
LF_SSHD = "5"
LF_SSHD_PERM = "600"
LF_FTPD = "10"
LF_FTPD_PERM = "600"
LF_SMTPAUTH = "10"
LF_SMTPAUTH_PERM = "600"
LF_EXIMSYNTAX = "10"
LF_EXIMSYNTAX_PERM = "600"
LF_POP3D = "10"
LF_POP3D_PERM = "600"
LF_IMAPD = "10"
LF_IMAPD_PERM = "600"
LF_HTACCESS = "5"
LF_HTACCESS_PERM = "600"
LF_MODSEC = "5"
LF_MODSEC_PERM = "600"
LF_BIND = "100"
LF_BIND_PERM = "600"
LF_SUHOSIN = "5"
LF_SUHOSIN_PERM = "600"
LF_CXS = "5"
LF_CXS_PERM = "600"
LF_QOS = "5"
LF_QOS_PERM = "600"
LF_SYMLINK = "5"
LF_SYMLINK_PERM = "600"
LF_WEBMIN = "5"
LF_WEBMIN_PERM = "600"
LF_APACHE_404 = "100"
LF_APACHE_403 = "100"
LF_APACHE_401 = "100"
LF_DISTATTACK = "1"
LF_DISTFTP = "5"
LF_DISTSMTP = "5"
LT_POP3D = "60"
LT_IMAPD = "100"
LT_SKIPPERMBLOCK = "1"
CT_LIMIT = "300"
</file>

===== Configure LFD =====

LFD is the 'log file daemon'.  It **monitors log files** looking for infractions and suspicious processes.  LFD replaces, ''fail2ban'' in our use case.  LFD is a huge part of why CSF is so effective.

<note warning>You will almost certainly need to edit ''csf.pignore'' to eliminate warnings from normal system processes, even though   These processes can and will change over time with system updates and changes.</note>

The ''lfd.log'' will show you the processes it is concerned about:

<file>
tail /var/log/lfd.log
</file>

Processes you want LFD to ignore:

<file>
vim /etc/csf/csf.pignore
</file>

Add these lines at the bottom:

<file>
cmd:/opt/apache2/bin/httpd -f /usr/mailcleaner/etc/apache/httpd.conf
cmd:/usr/bin/python /opt/greylistd/sbin/greylistd /usr/mailcleaner/etc/greylistd/greylistd.conf
cmd:SpamHandler
cmd:PrefTDaemon
cmd:StatsDaemon
cmd:MailWatch SQL
cmd:spamd child

pcmd:MailScanner: .*
pcmd:/opt/clamav/sbin/clamd --config-file=/usr/mailcleaner/etc/clamav/clam.*
pcmd:/opt/clamav/bin/freshclam --user=clamav --config-file=/usr/mailcleaner/etc/clamav/freshclam.*
pcmd:/opt/mysql5/bin/mysqld --defaults-file=/usr/mailcleaner/etc/mysql/my_.*
pcmd:/usr/local/bin/spamd --socketpath=/var/mailcleaner/spool/spamassassin/spamd.sock.*
pcmd:/usr/local/bin/newsld --socketpath=/var/mailcleaner/spool/newsld/newsld.sock.*
pcmd:/opt/exim4/bin/exim -C /usr/mailcleaner/etc/exim/exim_stage.*
pcmd:/opt/exim4/bin/exim -C /var/mailcleaner/spool/tmp/exim/exim_stage.*
pcmd:/opt/dcc/libexec/dccifd -h/opt/dcc/var.*
</file>

===== Start CSF and LFD =====

Run this and check for obvious errors:

<file>
csf -e && csf -s
lfd -e && lfd -s
</file>

You can restart CSF and LFD like this:

<file>
csf -ra
</file>