Posts

Posted on

Amavis – Clamd – Centos 7

I’ve ths error in /var/log/maillog:
(!)connect to /var/run/clamd.amavisd/clamd.sock failed

I solved in this way:

Edit /etc/clamd/clamd.conf

LocalSocket /var/run/clamd.amavisd/clamd.sock
User amavis

the User I defined (amavis), have to be the owner of the folder /var/run/clamd.amavisd
in the file /etc/amavisd/amavisd.conf you need the same file before : /var/run/clamd.amavisd/clamd.sock in this position
# ### http://www.clamav.net/
[‘ClamAV-clamd’,
\&ask_daemon, [“CONTSCAN {}\n”, “/var/run/clamd.amavisd/clamd.sock“],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

Posted on

Configuration for helo hostname and accept mail without postgray check

1.
add the following to the /etc/postfix/main.cf configuration file

smtpd_delay_reject = yes
smtpd_helo_required = yes smtpd_helo_restrictions =
permit_mynetworks,
check_helo_access
hash:/etc/postfix/helo_access,
reject_non_fqdn_hostname,
reject_invalid_hostname,
permit

2.
create the file /etc/postfix/helo_access
and add your restriction like example:

myowndomain.com REJECT
pcname PERMIT

3.
create the database (you don’t need restart postfix)
postmap /etc/postfix/helo_access 

4.
postfix check
restart or reload postfix
/etc/init.d/postfix reload

or
/etc/init.d/postfix restart

print out configuration
postconf -n

mailq to see the mail in queue

To remove all mail from the queue, enter:
postsuper -d ALL

Accept mail without any postgray check:

vim  /etc/postfix/rbl_override

gmail.com OK

gmail.it OK

yahoo.com OK

hotmail.com OK

outlook.com OK

startcomca.com OK

libero.it OK

and my main.cf

smtpd_recipient_restrictions =
reject_unauth_pipelining,
check_helo_access hash:/etc/postfix/helo_access,
check_client_access hash:/etc/postfix/rbl_override,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_sender_login_mismatch,
reject_non_fqdn_helo_hostname,
permit_sasl_authenticated,
check_policy_service unix:/var/spool/postfix/postgrey/socket,
reject_unauth_destination,
reject_unverified_recipient,
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
#check_client_access pcre:/etc/postfix/client_checks.pcre,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client pbl.spamhaus.org,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client b.barracudacentral.org,
#####reject_rbl_client dnsbl-1.uceprotect.net,
#reject_rbl_client dnsbl.sorbs.net,
#reject_rbl_client dnsrbl.org,
#reject_rbl_client bl.blocklist.de,
#reject_rbl_client babl.rbl.webiron.net,
#reject_rbl_client cabl.rbl.webiron.net,
permit

 

after this configuration type:

postmap /etc/postfix/rbl_override

restart postfix

 

Posted on

Failban Configuration file for WordPress

a) Create configuration file
vim /etc/fail2ban/filter.d/wordpress.conf

# Fail2Ban filter for WordPress hard failures
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = (?:wordpress|wp)

failregex = .*<HOST> – – .* “POST \/wp-login\.php HTTP\/1\.1” 200 (5127|5128|5129|5130) .*
.*<HOST> – – .* “POST \/xmlrpc\.php HTTP\/1\.1” 200 (5127|5128|5129|5130) .*
.*<HOST> – – .* “POST \/blog\/wp-login\.php HTTP\/1\.1” 200 (5127|5128|5129|5130) .*
.*<HOST> – – .* “POST \/web\/wp-login\.php HTTP\/1\.1” 200 (5127|5128|5129|5130) .*
ignoreregex =

b) set jail.conf

[wordpress]

enabled = true
filter = wordpress
action = iptables-multiport[name=wordpress, port=”http,https”, dest=postmaster@saic.it, sender=postmaster@saic.it]
logpath = /var/log/httpd/access_log
maxretry = 5
port = http,https
findtime = 300
bantime = 10800

restart failban

 

 

Posted on

Failban Configuration for ISPConfig

vi /etc/fail2ban/filter.d/ispconfig.conf
The first thing we need to do is create a filter for ISPconfig in the /etc/fail2ban/filter.d/ directory.

vi /etc/fail2ban/filter.d/ispconfig.conf
Add the following definition so the filter knows what to look for in the /var/log/ispconfig/auth.log for ISPConfig 3.

# Fail2Ban filter for ISPConfig hard failures
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = (?:ispconfig)

failregex = Failed login for user .* from <HOST>
ignoreregex =

vim /etc/fail2ban/jail.conf

add this line

[ispconfig]
enabled = true
port = 8080
filter = ispconfig
action = iptables-multiport[name=wordpress, port=”http,https”, dest=postmaster@saic.it, sender=postmaster@saic.it]
logpath = /var/log/ispconfig/auth.log
maxretry = 3
findtime = 300
bantime = 10800
You can/should test the new configuration by running the following command.

fail2ban-regex /var/log/ispconfig/auth.log /etc/fail2ban/filter.d/ispconfig.conf

THEN Restart fail2ban to load your new jail for ISPConfig 3 failed login attempts.

service fail2ban restart

usefull

https://www.digitalocean.com/community/tutorials/how-fail2ban-works-to-protect-services-on-a-linux-server

Posted on

Failban configuration

Today I found an error in the regular expression of failban filter :

/etc/fail2ban/filter.d/postfix-sasl.conf

with this useful site https://regex101.com/ gave me an error so I changed the expression from

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/:]*={0,2})?\s*     

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+\/:]*={0,2})?\s*     

failban conf file : jail.conf

[postfix-sasl]

enabled = true
filter = postfix-sasl
action = iptables[name=postfix-sasl, port=”smtp,465,submission,imap3,imaps,pop3,pop3s”, protocol=tcp]
sendmail-whois[name=postfix-sasl, dest=postmaster@saic.it, sender=postmaster@saic.it]
#port = smtp,465,submission,imap3,imaps,pop3,pop3s
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# “warn” level but overall at the smaller filesize.
logpath = %(postfix_log)s
backend = %(postfix_backend)s
maxretry = 3
bantime = 10800

here /etc/fail2ban/paths-fedora.conf the configuration of the variable postfix_log and postfix_backend

http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal