| Both sides previous revision
Previous revision
Next revision
|
Previous revision
|
internet:mail:mailcleaner_csf [2020/09/21 11:59]
gcooper |
internet:mail:mailcleaner_csf [2024/01/12 06:15] (current)
gcooper |
| |
| See also **[[networking:firewall:csf|ConfigServer Security & Firewall (CSF)]]** | See also **[[networking:firewall:csf|ConfigServer Security & Firewall (CSF)]]** |
| | |
| | See also **[[internet:mail:mailcleaner_ssl|MailCleaner LetsEncrypt Free SSL]]** |
| |
| **CSF CLI Commands**: https://wiki.centos-webpanel.com/csf-firewall-command-line | **CSF CLI Commands**: https://wiki.centos-webpanel.com/csf-firewall-command-line |
| <note>CSF and this howto are probably **most beneficial when using MailCleaner as a bastion host** with a public IP address. If you are running your MailCleaner privately behind a NAT firewall and port-forwarding, this may not be worth the trouble for you. If you build a MailCleaner cluster, you may want to implement CSF clustering as well.</note> | <note>CSF and this howto are probably **most beneficial when using MailCleaner as a bastion host** with a public IP address. If you are running your MailCleaner privately behind a NAT firewall and port-forwarding, this may not be worth the trouble for you. If you build a MailCleaner cluster, you may want to implement CSF clustering as well.</note> |
| |
| ===== Disable MailCleaner Firewall ===== | ===== Disable Old Services ===== |
| | |
| | <note warning>Has Mailcleaner changed and made this section inaccurate?</note> |
| | |
| | ==== Disable Firewall ==== |
| |
| <file> | <file> |
| |
| <file> | <file> |
| # We will use CSF for firewal, so exiting this script | # We will use CSF for firewall, so exiting this script |
| logger "MailCleaner firewall disabled in /usr/mailcleaner/etc/init.d/firewall" | logger "MailCleaner firewall disabled in /usr/mailcleaner/etc/init.d/firewall" |
| exit 0 | exit 0 |
| <file> | <file> |
| /usr/mailcleaner/etc/init.d/firewall stop | /usr/mailcleaner/etc/init.d/firewall stop |
| /usr/mailcleaner/etc/init.d/fail2ban stop | |
| systemctl disable firewalld.service | systemctl disable firewalld.service |
| | </file> |
| | |
| | ==== Disable Fail2Ban ==== |
| | |
| | <file> |
| | vim /usr/mailcleaner/etc/init.d/fail2ban |
| | </file> |
| | |
| | Add at the top below ''#! /bin/sh'' and the initial comments: |
| | |
| | <file> |
| | # We will use LFD for log file monitoring, so exiting this script |
| | logger "MailCleaner fail2ban disabled in /usr/mailcleaner/etc/init.d/fail2ban" |
| | exit 0 |
| | </file> |
| | |
| | <file> |
| | /usr/mailcleaner/etc/init.d/fail2ban stop |
| systemctl disable fail2ban.service | systemctl disable fail2ban.service |
| </file> | </file> |
| <file> | <file> |
| vim /etc/csf/csf.allow | vim /etc/csf/csf.allow |
| | </file> |
| | |
| | <file> |
| | # Network where you manage your MailCleaner from |
| | 10.0.0.0/24 # Management LAN |
| | |
| | # If you have a MailCleaner cluster server, allow it here |
| | # MailCleaner Cluster Ports |
| | tcp|in|d=22,3306_3307,5132|s=192.168.1.30 |
| | tcp|out|d=22,3306_3307,5132|d=192.168.1.30 |
| | udp|in|d=161|s=192.168.1.30 |
| | udp|out|d=161|d=192.168.1.30 |
| </file> | </file> |
| |
| <file> | <file> |
| vim /etc/csf/csf.ignore | vim /etc/csf/csf.ignore |
| | </file> |
| | <file> |
| | |
| | 10.0.0.0/24 # Management LAN |
| | 192.168.1.30 # MailCleaner #2 |
| </file> | </file> |
| |
| </file> | </file> |
| |
| <note warning>If you plan to enable a large number of blocklists, you should make sure to install/enable ''ipset'' (as documented on this page) and keep track of your system memory usage.</note> | <note warning>If you plan to enable a large number of addresses, you should make sure to install/enable ''ipset'' (as documented on this page) and keep track of your system memory usage.</note> |
| |
| We uncomment (enable) the following lists: | We uncomment (enable) the following lists: |
| STOPFORUMSPAMV6 | STOPFORUMSPAMV6 |
| GREENSNOW | GREENSNOW |
| </file> | |
| |
| Processes you want LFD to ignore: | |
| |
| <file> | |
| vim /etc/csf/csf.pignore | |
| </file> | |
| |
| Add these lines at the bottom: | |
| |
| <file> | |
| cmd:/opt/apache2/bin/httpd -f /usr/mailcleaner/etc/apache/httpd.conf | |
| cmd:/usr/bin/python /opt/greylistd/sbin/greylistd /usr/mailcleaner/etc/greylistd/greylistd.conf | |
| cmd:SpamHandler | |
| cmd:PrefTDaemon | |
| cmd:StatsDaemon | |
| cmd:MailWatch SQL | |
| cmd:spamd child | |
| |
| pcmd:MailScanner: .* | |
| pcmd:/opt/clamav/sbin/clamd --config-file=/usr/mailcleaner/etc/clamav/clam.* | |
| pcmd:/opt/clamav/bin/freshclam --user=clamav --config-file=/usr/mailcleaner/etc/clamav/freshclam.* | |
| pcmd:/opt/mysql5/bin/mysqld --defaults-file=/usr/mailcleaner/etc/mysql/my_.* | |
| pcmd:/usr/local/bin/spamd --socketpath=/var/mailcleaner/spool/spamassassin/spamd.sock.* | |
| pcmd:/usr/local/bin/newsld --socketpath=/var/mailcleaner/spool/newsld/newsld.sock.* | |
| pcmd:/opt/exim4/bin/exim -C /usr/mailcleaner/etc/exim/exim_stage.* | |
| pcmd:/opt/exim4/bin/exim -C /var/mailcleaner/spool/tmp/exim/exim_stage.* | |
| pcmd:/opt/dcc/libexec/dccifd -h/opt/dcc/var.* | |
| </file> | </file> |
| |
| </file> | </file> |
| |
| ===== Start CSF and LFD ===== | ===== Configure LFD ===== |
| |
| Run this and check for obvious errors: | LFD is the 'log file daemon'. It **monitors log files** looking for infractions and suspicious processes. LFD replaces, ''fail2ban'' in our use case. LFD is a huge part of why CSF is so effective. |
| | |
| | <note warning>You will almost certainly need to edit ''csf.pignore'' to eliminate warnings from normal system processes, even though These processes can and will change over time with system updates and changes.</note> |
| | |
| | The ''lfd.log'' will show you the processes it is concerned about: |
| |
| <file> | <file> |
| csf -e && csf -s | tail /var/log/lfd.log |
| lfd -e && lfd -s | |
| </file> | </file> |
| |
| You can restart CSF and LFD like this: | Processes you want LFD to ignore: |
| |
| <file> | <file> |
| csf -ra | vim /etc/csf/csf.pignore |
| </file> | </file> |
| |
| ===== LFD ===== | Add these lines at the bottom: |
| |
| LFD is the 'log file daemon'. It **monitors log files** looking for infractions and suspicious processes. LFD is a huge part of why CSF is so effective. | <file> |
| | cmd:/opt/apache2/bin/httpd -f /usr/mailcleaner/etc/apache/httpd.conf |
| | cmd:/usr/bin/python /opt/greylistd/sbin/greylistd /usr/mailcleaner/etc/greylistd/greylistd.conf |
| | cmd:SpamHandler |
| | cmd:PrefTDaemon |
| | cmd:StatsDaemon |
| | cmd:MailWatch SQL |
| | cmd:spamd child |
| |
| <note warning>You will almost certainly need to edit ''csf.pignore'' to eliminate warnings from normal system processes, even though These processes can and will change over time with system updates and changes.</note> | pcmd:MailScanner: .* |
| | pcmd:/opt/clamav/sbin/clamd --config-file=/usr/mailcleaner/etc/clamav/clam.* |
| | pcmd:/opt/clamav/bin/freshclam --user=clamav --config-file=/usr/mailcleaner/etc/clamav/freshclam.* |
| | pcmd:/opt/mysql5/bin/mysqld --defaults-file=/usr/mailcleaner/etc/mysql/my_.* |
| | pcmd:/usr/local/bin/spamd --socketpath=/var/mailcleaner/spool/spamassassin/spamd.sock.* |
| | pcmd:/usr/local/bin/newsld --socketpath=/var/mailcleaner/spool/newsld/newsld.sock.* |
| | pcmd:/opt/exim4/bin/exim -C /usr/mailcleaner/etc/exim/exim_stage.* |
| | pcmd:/opt/exim4/bin/exim -C /var/mailcleaner/spool/tmp/exim/exim_stage.* |
| | pcmd:/opt/dcc/libexec/dccifd -h/opt/dcc/var.* |
| | </file> |
| |
| The ''lfd.log'' will show you the processes it is concerned about: | ===== Start CSF and LFD ===== |
| | |
| | Run this and check for obvious errors: |
| |
| <file> | <file> |
| tail /var/log/lfd.log | csf -e && csf -s |
| | lfd -e && lfd -s |
| | </file> |
| | |
| | You can restart CSF and LFD like this: |
| | |
| | <file> |
| | csf -ra |
| </file> | </file> |
