User Tools
internet:mail:mailcleaner_csf
This is an old revision of the document!
Table of Contents
MailCleaner CSF Firewall
Unfinished
See also ConfigServer Security & Firewall (CSF)
CSF Docs: https://download.configserver.com/csf/readme.txt
DDoS: https://www.liquidweb.com/kb/basic-dosddos-mitigation-with-the-csf-firewall/
CSF and this howto are probably most beneficial when using MailCleaner as a bastion host with a public IP address. If you are running your MailCleaner privately behind a NAT firewall and port-forwarding, this may not be worth the trouble for you.
Disable MailCleaner Firewall
vim /usr/mailcleaner/etc/init.d/firewall
Add at the top below #! /bin/sh:
# We will use CSF for firewal, so exiting this script logger "MailCleaner firewall disabled in /usr/mailcleaner/etc/init.d/firewall" exit 0
/usr/mailcleaner/etc/init.d/firewall stop /usr/mailcleaner/etc/init.d/fail2ban stop systemctl stop firewalld.service && systemctl disable firewalld.service systemctl stop fail2ban.service && systemctl disable fail2ban.service
Install CSF
echo -e "\n# Webmin\ndeb http://download.webmin.com/download/repository sarge contrib" >> /etc/apt/sources.list wget -q http://www.webmin.com/jcameron-key.asc -O- | sudo apt-key add -
apt install webmin unzip ipset libwww-perl liblist-compare-perl \ liblwp-protocol-https-perl libio-socket-ssl-perl libcrypt-ssleay-perl \ libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl libgd-graph-perl
rm -fv csf.tgz && wget https://download.configserver.com/csf.tgz tar -xzf csf.tgz && cd csf sh install.sh
Test CSF:
perl /usr/local/csf/bin/csftest.pl
Configure Webmin
Webmin provides a useful web interface to configure and manage CSF. It is definitely worth configuring, but is not required. I find that I prefer to use the CLI and VIM for initial configuration, then I use Webmin after that.
Admin URL: https://ip.of.csf.host:10000/
Webmin → Webmin Configuration → Webmin Modules → From local file → /etc/csf/csfwebmin.tgz → Install Module
Configure CSF
Leave
TESTING = “1” near the top of csf.conf until you have the basic configuration done. Starting CSF and LFD with this setting will run a sanity check of your CSF configuration, but will not add any firewall rules.
When you are ready to activate the firewall, set
TESTING = “1” then enable and start CSF and LFD as shown below.
Hosts to allow:
vim /etc/csf/csf.allow
Hosts for LFD to ignore:
vim /etc/csf/csf.ignore
Pre-configured block lists of evildoers:
vim /etc/csf/csf.blocklists
Processes you want LFD to ignore:
vim /etc/csf/csf.pignore
Add these lines at the bottom:
cmd:/opt/apache2/bin/httpd -f /usr/mailcleaner/etc/apache/httpd.conf cmd:/usr/bin/python /opt/greylistd/sbin/greylistd /usr/mailcleaner/etc/greylistd/greylistd.conf cmd:SpamHandler cmd:PrefTDaemon cmd:StatsDaemon pcmd:MailScanner: .* pcmd:/opt/clamav/sbin/clamd --config-file=/usr/mailcleaner/etc/clamav/clam.* pcmd:/opt/mysql5/bin/mysqld --defaults-file=/usr/mailcleaner/etc/mysql/my_.* pcmd:/usr/local/bin/spamd --socketpath=/var/mailcleaner/spool/spamassassin/spamd.sock.* pcmd:/usr/local/bin/newsld --socketpath=/var/mailcleaner/spool/newsld/newsld.sock.* pcmd:/opt/exim4/bin/exim -C /usr/mailcleaner/etc/exim/exim_stage.* pcmd:/opt/exim4/bin/exim -C /var/mailcleaner/spool/tmp/exim/exim_stage.* pcmd:/opt/dcc/libexec/dccifd -h/opt/dcc/var.*
The main configuration file:
vim /etc/csf/csf.conf
MailCleaner Firewall Doc: https://support.mailcleaner.net/boards/3/topics/22-mailcleaner-network-configuration
Some settings to change from the defaults:
TCP_IN = "22,25,80,443" TCP_OUT = "7,22,25,53,80,389,443,636,2703" UDP_IN = "" UDP_OUT = "53,113,123,6277,24441,33434:33523" TCP6_IN = "22,25,80,443" TCP6_OUT = "7,22,25,53,80,389,443,636,2703" UDP6_IN = "" UDP6_OUT = "53,113,123,6277,24441,33434:33523" SYSLOG_CHECK = "600" DENY_IP_LIMIT = "1000" DENY_TEMP_IP_LIMIT = "1000" LF_IPSET = "1" SYNFLOOD = "1" CONNLIMIT = "22;10,25;15,80;30,443;30,587;15,10000;30" PORTFLOOD = "22;tcp;15;300,25;tcp;20;180,80;tcp;20;5,443;tcp;20;5,587;tcp;20;180,10000;tcp;20;5" CONNLIMIT_LOGGING = "1" LF_ALERT_TO = "youradminaddress@yourdomain.tld" LF_PERMBLOCK_COUNT = "3" LF_NETBLOCK = "1" LF_NETBLOCK_COUNT = "3" SAFECHAINUPDATE = "1" DYNDNS = "600" LF_TRIGGER = "3" LF_TRIGGER_PERM = "300" LF_TRIGGER = "0" LF_SELECT = "0" LF_SSHD = "5" LF_SSHD_PERM = "600" LF_FTPD = "10" LF_FTPD_PERM = "600" LF_SMTPAUTH = "10" LF_SMTPAUTH_PERM = "600" LF_EXIMSYNTAX = "10" LF_EXIMSYNTAX_PERM = "600" LF_POP3D = "10" LF_POP3D_PERM = "600" LF_IMAPD = "10" LF_IMAPD_PERM = "600" LF_HTACCESS = "5" LF_HTACCESS_PERM = "600" LF_MODSEC = "5" LF_MODSEC_PERM = "600" LF_BIND = "100" LF_BIND_PERM = "600" LF_SUHOSIN = "5" LF_SUHOSIN_PERM = "600" LF_CXS = "5" LF_CXS_PERM = "600" LF_QOS = "5" LF_QOS_PERM = "600" LF_SYMLINK = "5" LF_SYMLINK_PERM = "600" LF_WEBMIN = "5" LF_WEBMIN_PERM = "600" LF_APACHE_404 = "100" LF_APACHE_403 = "100" LF_APACHE_401 = "100" LF_DISTATTACK = "1" LF_DISTFTP = "5" LF_DISTSMTP = "5" LT_POP3D = "60" LT_IMAPD = "100" LT_SKIPPERMBLOCK = "1" CT_LIMIT = "300"
Start CSF and LFD
Run this and check for obvious errors:
csf -e && csf -s lfd -e && lfd -s
You can restart CSF and LFD like this:
csf -r && lfd -r
LFD
LFD is the 'log file daemon'. It monitors log files looking for infractions and suspicious processes. LFD is a huge part of why CSF is so effective.
You will almost certainly need to edit
csf.pignore to eliminate warnings from normal system processes. These processes can and will change over time with system updates and changes.
The lfd.log will show you the processes it is concerned about:
tail /var/log/lfd.log
internet/mail/mailcleaner_csf.1595612539.txt.gz · Last modified: 2020/07/24 11:42 by gcooper
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
