| Both sides previous revision
Previous revision
Next revision
|
Previous revision
|
internet:mail:mailcleaner_csf [2021/02/08 09:22]
gcooper |
internet:mail:mailcleaner_csf [2024/01/12 06:15] (current)
gcooper |
| <note>CSF and this howto are probably **most beneficial when using MailCleaner as a bastion host** with a public IP address. If you are running your MailCleaner privately behind a NAT firewall and port-forwarding, this may not be worth the trouble for you. If you build a MailCleaner cluster, you may want to implement CSF clustering as well.</note> | <note>CSF and this howto are probably **most beneficial when using MailCleaner as a bastion host** with a public IP address. If you are running your MailCleaner privately behind a NAT firewall and port-forwarding, this may not be worth the trouble for you. If you build a MailCleaner cluster, you may want to implement CSF clustering as well.</note> |
| |
| ===== Disable MailCleaner Firewall ===== | ===== Disable Old Services ===== |
| | |
| | <note warning>Has Mailcleaner changed and made this section inaccurate?</note> |
| | |
| | ==== Disable Firewall ==== |
| |
| <file> | <file> |
| <file> | <file> |
| /usr/mailcleaner/etc/init.d/firewall stop | /usr/mailcleaner/etc/init.d/firewall stop |
| /usr/mailcleaner/etc/init.d/fail2ban stop | |
| systemctl disable firewalld.service | systemctl disable firewalld.service |
| | </file> |
| | |
| | ==== Disable Fail2Ban ==== |
| | |
| | <file> |
| | vim /usr/mailcleaner/etc/init.d/fail2ban |
| | </file> |
| | |
| | Add at the top below ''#! /bin/sh'' and the initial comments: |
| | |
| | <file> |
| | # We will use LFD for log file monitoring, so exiting this script |
| | logger "MailCleaner fail2ban disabled in /usr/mailcleaner/etc/init.d/fail2ban" |
| | exit 0 |
| | </file> |
| | |
| | <file> |
| | /usr/mailcleaner/etc/init.d/fail2ban stop |
| systemctl disable fail2ban.service | systemctl disable fail2ban.service |
| </file> | </file> |
| </file> | </file> |
| |
| <note warning>If you plan to enable a large number of blocklists, you should make sure to install/enable ''ipset'' (as documented on this page) and keep track of your system memory usage.</note> | <note warning>If you plan to enable a large number of addresses, you should make sure to install/enable ''ipset'' (as documented on this page) and keep track of your system memory usage.</note> |
| |
| We uncomment (enable) the following lists: | We uncomment (enable) the following lists: |
| </file> | </file> |
| |
| ===== LFD ===== | ===== Configure LFD ===== |
| |
| LFD is the 'log file daemon'. It **monitors log files** looking for infractions and suspicious processes. LFD is a huge part of why CSF is so effective. | LFD is the 'log file daemon'. It **monitors log files** looking for infractions and suspicious processes. LFD replaces, ''fail2ban'' in our use case. LFD is a huge part of why CSF is so effective. |
| |
| <note warning>You will almost certainly need to edit ''csf.pignore'' to eliminate warnings from normal system processes, even though These processes can and will change over time with system updates and changes.</note> | <note warning>You will almost certainly need to edit ''csf.pignore'' to eliminate warnings from normal system processes, even though These processes can and will change over time with system updates and changes.</note> |
