Both sides previous revision
Previous revision
Next revision
|
Previous revision
|
internet:mail:mailcleaner_csf [2021/02/08 09:22] gcooper |
internet:mail:mailcleaner_csf [2024/01/12 06:15] (current) gcooper |
<note>CSF and this howto are probably **most beneficial when using MailCleaner as a bastion host** with a public IP address. If you are running your MailCleaner privately behind a NAT firewall and port-forwarding, this may not be worth the trouble for you. If you build a MailCleaner cluster, you may want to implement CSF clustering as well.</note> | <note>CSF and this howto are probably **most beneficial when using MailCleaner as a bastion host** with a public IP address. If you are running your MailCleaner privately behind a NAT firewall and port-forwarding, this may not be worth the trouble for you. If you build a MailCleaner cluster, you may want to implement CSF clustering as well.</note> |
| |
===== Disable MailCleaner Firewall ===== | ===== Disable Old Services ===== |
| |
| <note warning>Has Mailcleaner changed and made this section inaccurate?</note> |
| |
| ==== Disable Firewall ==== |
| |
<file> | <file> |
<file> | <file> |
/usr/mailcleaner/etc/init.d/firewall stop | /usr/mailcleaner/etc/init.d/firewall stop |
/usr/mailcleaner/etc/init.d/fail2ban stop | |
systemctl disable firewalld.service | systemctl disable firewalld.service |
| </file> |
| |
| ==== Disable Fail2Ban ==== |
| |
| <file> |
| vim /usr/mailcleaner/etc/init.d/fail2ban |
| </file> |
| |
| Add at the top below ''#! /bin/sh'' and the initial comments: |
| |
| <file> |
| # We will use LFD for log file monitoring, so exiting this script |
| logger "MailCleaner fail2ban disabled in /usr/mailcleaner/etc/init.d/fail2ban" |
| exit 0 |
| </file> |
| |
| <file> |
| /usr/mailcleaner/etc/init.d/fail2ban stop |
systemctl disable fail2ban.service | systemctl disable fail2ban.service |
</file> | </file> |
</file> | </file> |
| |
<note warning>If you plan to enable a large number of blocklists, you should make sure to install/enable ''ipset'' (as documented on this page) and keep track of your system memory usage.</note> | <note warning>If you plan to enable a large number of addresses, you should make sure to install/enable ''ipset'' (as documented on this page) and keep track of your system memory usage.</note> |
| |
We uncomment (enable) the following lists: | We uncomment (enable) the following lists: |
</file> | </file> |
| |
===== LFD ===== | ===== Configure LFD ===== |
| |
LFD is the 'log file daemon'. It **monitors log files** looking for infractions and suspicious processes. LFD is a huge part of why CSF is so effective. | LFD is the 'log file daemon'. It **monitors log files** looking for infractions and suspicious processes. LFD replaces, ''fail2ban'' in our use case. LFD is a huge part of why CSF is so effective. |
| |
<note warning>You will almost certainly need to edit ''csf.pignore'' to eliminate warnings from normal system processes, even though These processes can and will change over time with system updates and changes.</note> | <note warning>You will almost certainly need to edit ''csf.pignore'' to eliminate warnings from normal system processes, even though These processes can and will change over time with system updates and changes.</note> |