Table of Contents

MailCleaner CSF Firewall

FIXME Unfinished

See also ConfigServer Security & Firewall (CSF)

See also MailCleaner LetsEncrypt Free SSL

CSF CLI Commands: https://wiki.centos-webpanel.com/csf-firewall-command-line

CSF Docs: https://download.configserver.com/csf/readme.txt

DDoS: https://www.liquidweb.com/kb/basic-dosddos-mitigation-with-the-csf-firewall/

CSF and this howto are probably most beneficial when using MailCleaner as a bastion host with a public IP address. If you are running your MailCleaner privately behind a NAT firewall and port-forwarding, this may not be worth the trouble for you. If you build a MailCleaner cluster, you may want to implement CSF clustering as well.

Disable Old Services

Has Mailcleaner changed and made this section inaccurate?

Disable Firewall

vim /usr/mailcleaner/etc/init.d/firewall

Add at the top below #! /bin/sh:

# We will use CSF for firewall, so exiting this script
logger "MailCleaner firewall disabled in /usr/mailcleaner/etc/init.d/firewall"
exit 0
/usr/mailcleaner/etc/init.d/firewall stop
systemctl disable firewalld.service

Disable Fail2Ban

vim /usr/mailcleaner/etc/init.d/fail2ban

Add at the top below #! /bin/sh and the initial comments:

# We will use LFD for log file monitoring, so exiting this script
logger "MailCleaner fail2ban disabled in /usr/mailcleaner/etc/init.d/fail2ban"
exit 0
/usr/mailcleaner/etc/init.d/fail2ban stop
systemctl disable fail2ban.service

Install CSF

echo -e "\n# Webmin\ndeb http://download.webmin.com/download/repository sarge contrib" >> /etc/apt/sources.list
wget -q http://www.webmin.com/jcameron-key.asc -O- | sudo apt-key add -
apt update && apt install webmin unzip ipset libwww-perl liblist-compare-perl \
liblwp-protocol-https-perl libio-socket-ssl-perl libcrypt-ssleay-perl \
libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl libgd-graph-perl
rm -fv csf.tgz && wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz && cd csf
sh install.sh

Test CSF:

perl /usr/local/csf/bin/csftest.pl

Configure Webmin

Webmin provides a useful web interface to configure and manage CSF. It is definitely worth configuring, but is not required. I find that I prefer to use the CLI and VIM for initial configuration, then I use Webmin after that.

Admin URL: https://ip.of.csf.host:10000/

Webmin → Webmin Configuration → Webmin Modules → From local file → /etc/csf/csfwebmin.tgz → Install Module

Link to CSF Firewall in Webmin

Configure CSF

Leave TESTING = “1” near the top of csf.conf until you have the basic configuration done. Starting CSF and LFD with this setting will run a sanity check of your CSF configuration, but will not add any firewall rules.
When you are ready to activate the firewall, set TESTING = “0” then enable and start CSF and LFD as shown below.

Hosts to allow:

vim /etc/csf/csf.allow
# Network where you manage your MailCleaner from
10.0.0.0/24    # Management LAN

# If you have a MailCleaner cluster server, allow it here
# MailCleaner Cluster Ports
tcp|in|d=22,3306_3307,5132|s=192.168.1.30
tcp|out|d=22,3306_3307,5132|d=192.168.1.30
udp|in|d=161|s=192.168.1.30
udp|out|d=161|d=192.168.1.30

Hosts for LFD to ignore:

vim /etc/csf/csf.ignore
10.0.0.0/24      # Management LAN
192.168.1.30     # MailCleaner #2

Pre-configured block lists of evildoers:

vim /etc/csf/csf.blocklists
If you plan to enable a large number of addresses, you should make sure to install/enable ipset (as documented on this page) and keep track of your system memory usage.

We uncomment (enable) the following lists:

SPAMDROP
SPAMDROPV6
SPAMEDROP
DSHIELD
TOR
HONEYPOT
CIARMY
BFB
MAXMIND
BDEALL
STOPFORUMSPAM
STOPFORUMSPAMV6
GREENSNOW

The main configuration file:

vim /etc/csf/csf.conf

MailCleaner Firewall Doc: https://support.mailcleaner.net/boards/3/topics/22-mailcleaner-network-configuration

Some settings to change from the defaults:

TCP_IN = "22,25,80,443"
TCP_OUT = "7,22,25,53,80,389,443,636,2703"
UDP_IN = ""
UDP_OUT = "53,113,123,6277,24441,33434:33523"

TCP6_IN = "22,25,80,443"
TCP6_OUT = "7,22,25,53,80,389,443,636,2703"
UDP6_IN = ""
UDP6_OUT = "53,113,123,6277,24441,33434:33523"

SYSLOG_CHECK = "600"
DENY_IP_LIMIT = "1000"
DENY_TEMP_IP_LIMIT = "1000"
LF_IPSET = "1"
SYNFLOOD = "1"
CONNLIMIT = "22;10,25;15,80;30,443;30,587;15,10000;30"
PORTFLOOD = "22;tcp;15;300,25;tcp;20;180,80;tcp;20;5,443;tcp;20;5,587;tcp;20;180,10000;tcp;20;5"
CONNLIMIT_LOGGING = "1"
LF_ALERT_TO = "youradminaddress@yourdomain.tld"
LF_ALERT_FROM = "yourvalidfromaddress@yourdomain.tld"
LF_PERMBLOCK_COUNT = "3"
LF_NETBLOCK = "1"
LF_NETBLOCK_COUNT = "3"
SAFECHAINUPDATE = "1"
DYNDNS = "600"
LF_TRIGGER = "3"
LF_TRIGGER_PERM = "300"
LF_TRIGGER = "0"
LF_SELECT = "0"
LF_SSHD = "5"
LF_SSHD_PERM = "600"
LF_FTPD = "10"
LF_FTPD_PERM = "600"
LF_SMTPAUTH = "10"
LF_SMTPAUTH_PERM = "600"
LF_EXIMSYNTAX = "10"
LF_EXIMSYNTAX_PERM = "600"
LF_POP3D = "10"
LF_POP3D_PERM = "600"
LF_IMAPD = "10"
LF_IMAPD_PERM = "600"
LF_HTACCESS = "5"
LF_HTACCESS_PERM = "600"
LF_MODSEC = "5"
LF_MODSEC_PERM = "600"
LF_BIND = "100"
LF_BIND_PERM = "600"
LF_SUHOSIN = "5"
LF_SUHOSIN_PERM = "600"
LF_CXS = "5"
LF_CXS_PERM = "600"
LF_QOS = "5"
LF_QOS_PERM = "600"
LF_SYMLINK = "5"
LF_SYMLINK_PERM = "600"
LF_WEBMIN = "5"
LF_WEBMIN_PERM = "600"
LF_APACHE_404 = "100"
LF_APACHE_403 = "100"
LF_APACHE_401 = "100"
LF_DISTATTACK = "1"
LF_DISTFTP = "5"
LF_DISTSMTP = "5"
LT_POP3D = "60"
LT_IMAPD = "100"
LT_SKIPPERMBLOCK = "1"
CT_LIMIT = "300"

Configure LFD

LFD is the 'log file daemon'. It monitors log files looking for infractions and suspicious processes. LFD replaces, fail2ban in our use case. LFD is a huge part of why CSF is so effective.

You will almost certainly need to edit csf.pignore to eliminate warnings from normal system processes, even though These processes can and will change over time with system updates and changes.

The lfd.log will show you the processes it is concerned about:

tail /var/log/lfd.log

Processes you want LFD to ignore:

vim /etc/csf/csf.pignore

Add these lines at the bottom:

cmd:/opt/apache2/bin/httpd -f /usr/mailcleaner/etc/apache/httpd.conf
cmd:/usr/bin/python /opt/greylistd/sbin/greylistd /usr/mailcleaner/etc/greylistd/greylistd.conf
cmd:SpamHandler
cmd:PrefTDaemon
cmd:StatsDaemon
cmd:MailWatch SQL
cmd:spamd child

pcmd:MailScanner: .*
pcmd:/opt/clamav/sbin/clamd --config-file=/usr/mailcleaner/etc/clamav/clam.*
pcmd:/opt/clamav/bin/freshclam --user=clamav --config-file=/usr/mailcleaner/etc/clamav/freshclam.*
pcmd:/opt/mysql5/bin/mysqld --defaults-file=/usr/mailcleaner/etc/mysql/my_.*
pcmd:/usr/local/bin/spamd --socketpath=/var/mailcleaner/spool/spamassassin/spamd.sock.*
pcmd:/usr/local/bin/newsld --socketpath=/var/mailcleaner/spool/newsld/newsld.sock.*
pcmd:/opt/exim4/bin/exim -C /usr/mailcleaner/etc/exim/exim_stage.*
pcmd:/opt/exim4/bin/exim -C /var/mailcleaner/spool/tmp/exim/exim_stage.*
pcmd:/opt/dcc/libexec/dccifd -h/opt/dcc/var.*

Start CSF and LFD

Run this and check for obvious errors:

csf -e && csf -s
lfd -e && lfd -s

You can restart CSF and LFD like this:

csf -ra