useful link to install logwatch:
https://www.digitalocean.com/community/tutorials/how-to-install-and-use-logwatch-log-analyzer-and-reporter-on-a-vps
example
logwatch –detail Low –mailto info@saic.it –service http –range today
Amavis – Clamd – Centos 7
I’ve ths error in /var/log/maillog:
(!)connect to /var/run/clamd.amavisd/clamd.sock failed
I solved in this way:
Edit /etc/clamd/clamd.conf
LocalSocket /var/run/clamd.amavisd/clamd.sock
User amavis
the User I defined (amavis), have to be the owner of the folder /var/run/clamd.amavisd
in the file /etc/amavisd/amavisd.conf you need the same file before : /var/run/clamd.amavisd/clamd.sock in this position
# ### http://www.clamav.net/
[‘ClamAV-clamd’,
\&ask_daemon, [“CONTSCAN {}\n”, “/var/run/clamd.amavisd/clamd.sock“],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
Configuration for helo hostname and accept mail without postgray check
1.
add the following to the /etc/postfix/main.cf configuration file
smtpd_delay_reject = yes
smtpd_helo_required = yes smtpd_helo_restrictions =
permit_mynetworks,
check_helo_access
hash:/etc/postfix/helo_access,
reject_non_fqdn_hostname,
reject_invalid_hostname,
permit
2.
create the file /etc/postfix/helo_access
and add your restriction like example:
myowndomain.com REJECT
pcname PERMIT
3.
create the database (you don’t need restart postfix)
postmap /etc/postfix/helo_access
4.
postfix check
restart or reload postfix
/etc/init.d/postfix reload
or
/etc/init.d/postfix restart
print out configuration
postconf -n
mailq to see the mail in queue
To remove all mail from the queue, enter:
postsuper -d ALL
Accept mail without any postgray check:
vim /etc/postfix/rbl_override
gmail.com OK gmail.it OK yahoo.com OK hotmail.com OK outlook.com OK startcomca.com OK libero.it OK
and my main.cf
smtpd_recipient_restrictions =
reject_unauth_pipelining,
check_helo_access hash:/etc/postfix/helo_access,
check_client_access hash:/etc/postfix/rbl_override,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_sender_login_mismatch,
reject_non_fqdn_helo_hostname,
permit_sasl_authenticated,
check_policy_service unix:/var/spool/postfix/postgrey/socket,
reject_unauth_destination,
reject_unverified_recipient,
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
#check_client_access pcre:/etc/postfix/client_checks.pcre,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client pbl.spamhaus.org,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client b.barracudacentral.org,
#####reject_rbl_client dnsbl-1.uceprotect.net,
#reject_rbl_client dnsbl.sorbs.net,
#reject_rbl_client dnsrbl.org,
#reject_rbl_client bl.blocklist.de,
#reject_rbl_client babl.rbl.webiron.net,
#reject_rbl_client cabl.rbl.webiron.net,
permit
after this configuration type:
postmap /etc/postfix/rbl_override
restart postfix
Failban Configuration file for WordPress
a) Create configuration file
vim /etc/fail2ban/filter.d/wordpress.conf
# Fail2Ban filter for WordPress hard failures
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = (?:wordpress|wp)
failregex = .*<HOST> – – .* “POST \/wp-login\.php HTTP\/1\.1” 200 (5127|5128|5129|5130) .*
.*<HOST> – – .* “POST \/xmlrpc\.php HTTP\/1\.1” 200 (5127|5128|5129|5130) .*
.*<HOST> – – .* “POST \/blog\/wp-login\.php HTTP\/1\.1” 200 (5127|5128|5129|5130) .*
.*<HOST> – – .* “POST \/web\/wp-login\.php HTTP\/1\.1” 200 (5127|5128|5129|5130) .*
ignoreregex =
b) set jail.conf
[wordpress]
enabled = true
filter = wordpress
action = iptables-multiport[name=wordpress, port=”http,https”, dest=postmaster@saic.it, sender=postmaster@saic.it]
logpath = /var/log/httpd/access_log
maxretry = 5
port = http,https
findtime = 300
bantime = 10800
restart failban
Failban Configuration for ISPConfig
vi /etc/fail2ban/filter.d/ispconfig.conf
The first thing we need to do is create a filter for ISPconfig in the /etc/fail2ban/filter.d/ directory.
vi /etc/fail2ban/filter.d/ispconfig.conf
Add the following definition so the filter knows what to look for in the /var/log/ispconfig/auth.log for ISPConfig 3.
# Fail2Ban filter for ISPConfig hard failures
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = (?:ispconfig)
failregex = Failed login for user .* from <HOST>
ignoreregex =
vim /etc/fail2ban/jail.conf
add this line
[ispconfig]
enabled = true
port = 8080
filter = ispconfig
action = iptables-multiport[name=wordpress, port=”http,https”, dest=postmaster@saic.it, sender=postmaster@saic.it]
logpath = /var/log/ispconfig/auth.log
maxretry = 3
findtime = 300
bantime = 10800
You can/should test the new configuration by running the following command.
fail2ban-regex /var/log/ispconfig/auth.log /etc/fail2ban/filter.d/ispconfig.conf
THEN Restart fail2ban to load your new jail for ISPConfig 3 failed login attempts.
service fail2ban restart
usefull