Mars: Difference between revisions
Jump to navigation
Jump to search
(Created page with "Mars ist unser externer VHost bei Hetzner. Ist ein CX10. IP ist die 78.46.208.206 bzw. 2a01:4f8:c17:c8d::2 Dort laufen: * Apache für ** [https://munichmakerlab.de munichmake...") |
(spamfilter für mailinglisten) |
||
| (6 intermediate revisions by one other user not shown) | |||
| Line 17: | Line 17: | ||
Wenn du ssh-Zugriff benötigst, sprich mit [[User:tiefpunkt|Severin]]. | Wenn du ssh-Zugriff benötigst, sprich mit [[User:tiefpunkt|Severin]]. | ||
== | == Mail / Mailinglisten == | ||
=== Postfix === | === Postfix === | ||
<nowiki> | |||
# sudo aptitude install postfix | |||
# sudo dpkg-reconfigure postfix | |||
Choose / Change: | |||
-> Internet site | |||
-> munichmakerlab.de | |||
</nowiki> | |||
Die main.cf anpassen/hinzufügen (nicht über postconf, sondern einfacher über vi) | |||
<nowiki> | |||
# sudo vi /etc/postfix/main.cf</nowiki> | |||
* Allgemein | |||
<nowiki> | |||
myhostname = mars.munichmakerlab.de</nowiki> | |||
* Änderungen fuer mailman | |||
<nowiki> | |||
alias_maps = hash:/etc/postfix/aliases, | |||
hash:/usr/local/mailman/data/aliases | |||
mailman_destination_recipient_limit = 1</nowiki> | |||
* TLS | |||
<nowiki> | |||
tls_ssl_options = NO_COMPRESSION | |||
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA | |||
### outgoing connections ### | |||
smtp_tls_security_level=may | |||
smtp_tls_cert_file=/etc/letsencrypt/live/mars.munichmakerlab.de/fullchain.pem | |||
smtp_tls_key_file=/etc/letsencrypt/live/mars.munichmakerlab.de/privkey.pem | |||
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache | |||
### incoming connections ### | |||
smtpd_tls_security_level=may | |||
smtpd_tls_cert_file=/etc/letsencrypt/live/mars.munichmakerlab.de/fullchain.pem | |||
smtpd_tls_key_file=/etc/letsencrypt/live/mars.munichmakerlab.de/privkey.pem | |||
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache | |||
smtpd_use_tls=yes</nowiki> | |||
* Einige Sicherheits-/Anti-Spameinstellungen | |||
<nowiki> | |||
smtpd_client_restrictions = | |||
permit_mynetworks, | |||
permit | |||
smtpd_helo_restrictions = | |||
permit_mynetworks, | |||
reject_invalid_helo_hostname, | |||
reject_non_fqdn_helo_hostname, | |||
permit | |||
smtpd_sender_restrictions = | |||
permit_mynetworks, | |||
permit | |||
smtpd_recipient_restrictions = | |||
permit_mynetworks, | |||
reject_non_fqdn_sender, | |||
reject_non_fqdn_recipient, | |||
reject_unauth_destination, | |||
reject_unlisted_recipient, | |||
reject_unlisted_sender, | |||
reject_unknown_sender_domain, | |||
reject_rbl_client sbl-xbl.spamhaus.org, | |||
reject_rbl_client cbl.abuseat.org, | |||
reject_rbl_client dul.dnsbl.sorbs.net, | |||
permit | |||
smtpd_data_restrictions = | |||
permit_mynetworks, | |||
reject_unauth_pipelining, | |||
reject_multi_recipient_bounce, | |||
permit | |||
canonical_classes = envelope_sender, header_sender | |||
smtpd_discard_ehlo_keywords = silent-discard, dsn | |||
disable_vrfy_command = yes | |||
smtpd_helo_required = yes | |||
strict_rfc821_envelopes = yes | |||
smtpd_delay_reject = yes | |||
anvil_rate_time_unit = 60 | |||
anvil_status_update_time = 60 | |||
smtpd_client_connection_count_limit = 5 | |||
smtpd_client_connection_rate_limit = 10 | |||
smtpd_client_message_rate_limit = 10 | |||
smtpd_client_recipient_rate_limit = 10 | |||
smtp_connect_timeout = 300s | |||
smtp_helo_timeout = 300s | |||
smtp_mail_timeout = 300s | |||
smtp_rcpt_timeout = 300s | |||
smtp_quit_timeout = 600s | |||
smtp_rset_timeout = 30s</nowiki> | |||
* Milter für Spamassassin und Clamav | |||
<nowiki> | |||
smtpd_milters = unix:/clamav/clamav-milter.ctl, unix:/spamass/spamass.sock | |||
milter_connect_macros = i j {daemon_name} v {if_name} _ | |||
milter_default_action = accept</nowiki> | |||
=== ClamAV === | === ClamAV === | ||
Installation ist straightforward | |||
<nowiki> | |||
# sudo aptitude install clamav</nowiki> | |||
Wir binden ClamAV via milter in postfix ein (damit die Mails gleich beim Empfang geprüft werden): | |||
<nowiki> | |||
# sudo aptitude install clamav-milter</nowiki> | |||
Milter anpassen, so dass Postfix drauf zugreifen kann: | |||
<nowiki> | |||
# sudo dpkg-reconfigure clamav-milter | |||
-> MilterSocket /var/spool/postfix/clamav/clamav-milter.ctl | |||
-> ClamdSocket unix:/var/run/clamav/clamd.ctl</nowiki> | |||
=== Spamassassin === | === Spamassassin === | ||
Installation, inkl. einiger Tools und Milter | |||
<nowiki> | |||
# sudo aptitude install spamassassin razor pyzor swaks spamass-milter</nowiki> | |||
Noch ein paar configs anpassen: | |||
<nowiki> | |||
# sudo vi /etc/default/spamass-milter | |||
-> OPTIONS="-u spamass-milter -m -I -i 127.0.0.1 -r 8 -- --socket=/var/run/spamassassin/spamd.sock" | |||
# sudo vi /etc/default/spamassassin | |||
-> OPTIONS="--create-prefs --max-children 2 --helper-home-dir /var/lib/spamassassin --nouser-config --username debian-spamd --socketpath=/var/run/spamassassin/spamd.sock --socketowner=debian-spamd --socketgroup=debian-spamd --socketmode=0660" | |||
-> CRON=1 | |||
# sudo vi /etc/spamassassin/local.cf | |||
-> report_safe 0 | |||
-> required_score 5.0 | |||
# sudo systemctl enable spamassassin.service | |||
# sudo useradd -G debian-spamd spamass-milter</nowiki> | |||
=== pdns-recursor === | === pdns-recursor === | ||
Da die Hetzner-DNS bei einigen Blacklist-Services wegen zu vieler Anfragen gesperrt sind, installieren wir unseren eigenen DNS Recursor. | |||
<nowiki> | |||
# sudo aptitude -t jessie-backports install pdns-recursor | |||
# sudo vi /etc/powerdns/recursor.conf | |||
-> Default config ist soweit ok, ggf. folgendes ändern: | |||
-> allow-from=127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10 | |||
-> local-address=127.0.0.1</nowiki> | |||
Dann noch für das System aktivieren, so dass Postfix und Spamassassin auch den lokalen DNS nutzen: | |||
<nowiki> | |||
# sudo vi /etc/resolv.conf | |||
-> In der ersten Zeile hinzufügen: | |||
-> nameserver 127.0.0.1 | |||
# sudo vi /etc/dhcp/dhclient.conf | |||
-> prepend domain-name-servers 127.0.0.1;</nowiki> | |||
=== Mailman === | === Mailman === | ||
Für unsere Mailinglisten nutzen wir mailman. | |||
<nowiki> | |||
# sudo aptitude install mailman | |||
-> languages de,en</nowiki> | |||
Anpassen der mailman config | |||
<nowiki> | |||
# sudo vi /etc/mailman/mm_cfg.py | |||
DEFAULT_URL_HOST = 'lists.munichmakerlab.de' # Zeile aendern | |||
MTA='Postfix' # Auskommentieren</nowiki> | |||
Einbinden in den Apache | |||
<nowiki> | |||
# sudo cp /etc/mailman/apache.conf /etc/apache2/sites-available/munichmakerlab.de/lists.conf | |||
# sudo vi /etc/apache2/sites-available/munichmakerlab.de/lists.conf | |||
-> Im Folgenden nur der wichtigste Teil... | |||
<VirtualHost *:80> | |||
ServerName lists.munichmakerlab.de | |||
DocumentRoot /var/www/vhosts/munichmakerlab.de/lists/htdocs | |||
<Directory /var/lib/mailman/archives/> | |||
Options FollowSymLinks | |||
AllowOverride None | |||
</Directory> | |||
<Directory /var/www/vhosts/munichmakerlab.de/lists/htdocs/> | |||
Options FollowSymLinks | |||
AllowOverride All | |||
</Directory> | |||
Alias /pipermail/ /var/lib/mailman/archives/public/ | |||
Alias /images/mailman/ /usr/share/images/mailman/ | |||
ScriptAlias /admin /usr/lib/cgi-bin/mailman/admin | |||
ScriptAlias /admindb /usr/lib/cgi-bin/mailman/admindb | |||
ScriptAlias /confirm /usr/lib/cgi-bin/mailman/confirm | |||
ScriptAlias /create /usr/lib/cgi-bin/mailman/create | |||
ScriptAlias /edithtml /usr/lib/cgi-bin/mailman/edithtml | |||
ScriptAlias /listinfo /usr/lib/cgi-bin/mailman/listinfo | |||
ScriptAlias /options /usr/lib/cgi-bin/mailman/options | |||
ScriptAlias /private /usr/lib/cgi-bin/mailman/private | |||
ScriptAlias /rmlist /usr/lib/cgi-bin/mailman/rmlist | |||
ScriptAlias /roster /usr/lib/cgi-bin/mailman/roster | |||
ScriptAlias /subscribe /usr/lib/cgi-bin/mailman/subscribe | |||
ScriptAlias /mailman/ /usr/lib/cgi-bin/mailman/ | |||
# ScriptAlias / /usr/lib/cgi-bin/mailman/listinfo | |||
ErrorLog /var/www/vhosts/munichmakerlab.de/www/logs/error.log | |||
LogLevel warn | |||
CustomLog /var/www/vhosts/munichmakerlab.de/www/logs/access.log combined | |||
ServerSignature Off | |||
</VirtualHost> | |||
# cd /etc/apache2/sites-enabled/001-munichmakerlab.de | |||
# sudo ln -s /etc/apache2/sites-available/munichmakerlab.de/lists.conf 003-lists.conf | |||
# cd /etc/apache2/mods-enabled | |||
# sudo ln -s ../mods-available/cgi.load cgi.load</nowiki> | |||
Postfix haben wir oben schon angepasst (eigene Alias-Map). | |||
Default Mailman-Liste erstellen (wird benötigt) | |||
<nowiki> | |||
# cd /var/lib/mailman | |||
# sudo bin/genaliases | |||
# sudo newlist mailman | |||
-> mail adden | |||
-> pw adden</nowiki> | |||
== Sonstiges == | |||
=== Fail2ban === | |||
Um Hackangriffe zu mitigieren, setzen wir fail2ban ein. Damit werden z.B. Bruteforce-Attacken auf SSH unterbunden. | |||
<nowiki> | |||
# sudo aptitude install fail2ban | |||
# cd /etc/fail2ban | |||
# sudo cp jail.conf jail.local | |||
# sudo vi jail.local | |||
-> SSH, Apache und Postfix Jails sollten bereits aktiviert sein bzw. können in den jeweiligen Sektionen mit "enabled = true" aktiviert werden.</nowiki> | |||
Wir fügen dann unser eigenes Jail zum dauerhaften Bannen von IPs hinzu: | |||
<nowiki> | |||
# sudo vi jail.local | |||
[ip-blacklist] | |||
enabled = true | |||
banaction = iptables-allports | |||
port = anyport | |||
filter = ip-blacklist | |||
logpath = /etc/fail2ban/ip.blacklist | |||
maxretry = 0 | |||
findtime = 15552000 | |||
bantime = -1 | |||
# sudo vi ip.blacklist | |||
116.31.116.48 [02/08/2016 00:00:00] | |||
# sudo vi filter.d/ip-blacklist.conf | |||
[Definition] | |||
# Option: failregex | |||
# Notes : Detection of blocked ip addresses. | |||
# Values: TEXT | |||
# | |||
failregex = ^<HOST> \[.*\]$ | |||
# Option: ignoreregex | |||
# Notes : Regex to ignore. | |||
# Values: TEXT | |||
# | |||
ignoreregex =</nowiki> | |||
Man kann dann jederzeit in der ip.blacklist IP Adressen hinzufügen, und zwar im Format | |||
<nowiki> | |||
IP [Datum]</nowiki> | |||
also, z.B. | |||
<nowiki> | |||
116.31.116.48 [02/08/2016 00:00:00]</nowiki> | |||
Die IPs werden max. ein halbes Jahr geblacklisted (daher wird der Zeitstempel benötigt> | |||
Danach nie vergessen, fail2ban neu zu starten: | |||
<nowiki># sudo systemctl restart fail2ban</nowiki> | |||
== Logbuch == | |||
=== Severin, 31.5.2018 === | |||
* SpamAssassin Socket liegt wo anders, angepasst in /etc/default/spamass-milter | |||
OPTIONS="-u spamass-milter -I -i 127.0.0.1 -r 5 -- --socket=/var/run/spamd.sock" | |||
* SpamAssassin auf TCP Socket konfiguriert (/etc/default/spamassassin) | |||
OPTIONS="--create-prefs --max-children 2 --helper-home-dir=/var/lib/spamassassin --nouser-config --username debian-spamd --socketpath=/var/run/spamd.sock --socketowner=debian-spamd --socketgroup=debian-spamd --socketmode=0660 --listen-ip=127.0.0.1 --port 783 --virtual-config-dir=/var/lib/spamassassin/%u.prefs" | |||
* SpamAssassin Mailman Integration von http://www.jamesh.id.au/articles/mailman-spamassassin/ aktiviert in /var/lib/mailman/Mailman/mm_cfg.py | |||
GLOBAL_PIPELINE.insert(1, 'SpamAssassin') | |||
SPAMASSASSIN_HOST = "127.0.0.1:783" | |||
* Bayes aktivieren, SpamScore anpassen /etc/spamassassin/local.cf | |||
required_score 10.0 | |||
use_bayes 1 | |||
bayes_auto_learn 0 | |||
* Spam-Filter trainiert, mm_learn in /root konfiguriert | |||
Latest revision as of 11:43, 1 June 2018
Mars ist unser externer VHost bei Hetzner. Ist ein CX10. IP ist die 78.46.208.206 bzw. 2a01:4f8:c17:c8d::2
Dort laufen:
- Apache für
- Unsere Mailinglisten
- Postfix zum Empfang der Mails
- ClamAV als Virenscanner
- Spamassassin zur Filterung des Spams
- Mailman zur Verwaltung der Listen
- Weitere Services
- PowerDNS Recursor (oder kurz pdns-recursor)
- fail2ban
Wenn du ssh-Zugriff benötigst, sprich mit Severin.
Mail / Mailinglisten
Postfix
# sudo aptitude install postfix # sudo dpkg-reconfigure postfix Choose / Change: -> Internet site -> munichmakerlab.de
Die main.cf anpassen/hinzufügen (nicht über postconf, sondern einfacher über vi)
# sudo vi /etc/postfix/main.cf
- Allgemein
myhostname = mars.munichmakerlab.de
- Änderungen fuer mailman
alias_maps = hash:/etc/postfix/aliases,
hash:/usr/local/mailman/data/aliases
mailman_destination_recipient_limit = 1
- TLS
tls_ssl_options = NO_COMPRESSION
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
### outgoing connections ###
smtp_tls_security_level=may
smtp_tls_cert_file=/etc/letsencrypt/live/mars.munichmakerlab.de/fullchain.pem
smtp_tls_key_file=/etc/letsencrypt/live/mars.munichmakerlab.de/privkey.pem
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
### incoming connections ###
smtpd_tls_security_level=may
smtpd_tls_cert_file=/etc/letsencrypt/live/mars.munichmakerlab.de/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mars.munichmakerlab.de/privkey.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls=yes
- Einige Sicherheits-/Anti-Spameinstellungen
smtpd_client_restrictions =
permit_mynetworks,
permit
smtpd_helo_restrictions =
permit_mynetworks,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
permit
smtpd_sender_restrictions =
permit_mynetworks,
permit
smtpd_recipient_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unauth_destination,
reject_unlisted_recipient,
reject_unlisted_sender,
reject_unknown_sender_domain,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client dul.dnsbl.sorbs.net,
permit
smtpd_data_restrictions =
permit_mynetworks,
reject_unauth_pipelining,
reject_multi_recipient_bounce,
permit
canonical_classes = envelope_sender, header_sender
smtpd_discard_ehlo_keywords = silent-discard, dsn
disable_vrfy_command = yes
smtpd_helo_required = yes
strict_rfc821_envelopes = yes
smtpd_delay_reject = yes
anvil_rate_time_unit = 60
anvil_status_update_time = 60
smtpd_client_connection_count_limit = 5
smtpd_client_connection_rate_limit = 10
smtpd_client_message_rate_limit = 10
smtpd_client_recipient_rate_limit = 10
smtp_connect_timeout = 300s
smtp_helo_timeout = 300s
smtp_mail_timeout = 300s
smtp_rcpt_timeout = 300s
smtp_quit_timeout = 600s
smtp_rset_timeout = 30s
- Milter für Spamassassin und Clamav
smtpd_milters = unix:/clamav/clamav-milter.ctl, unix:/spamass/spamass.sock
milter_connect_macros = i j {daemon_name} v {if_name} _
milter_default_action = accept
ClamAV
Installation ist straightforward
# sudo aptitude install clamav
Wir binden ClamAV via milter in postfix ein (damit die Mails gleich beim Empfang geprüft werden):
# sudo aptitude install clamav-milter
Milter anpassen, so dass Postfix drauf zugreifen kann:
# sudo dpkg-reconfigure clamav-milter -> MilterSocket /var/spool/postfix/clamav/clamav-milter.ctl -> ClamdSocket unix:/var/run/clamav/clamd.ctl
Spamassassin
Installation, inkl. einiger Tools und Milter
# sudo aptitude install spamassassin razor pyzor swaks spamass-milter
Noch ein paar configs anpassen:
# sudo vi /etc/default/spamass-milter -> OPTIONS="-u spamass-milter -m -I -i 127.0.0.1 -r 8 -- --socket=/var/run/spamassassin/spamd.sock" # sudo vi /etc/default/spamassassin -> OPTIONS="--create-prefs --max-children 2 --helper-home-dir /var/lib/spamassassin --nouser-config --username debian-spamd --socketpath=/var/run/spamassassin/spamd.sock --socketowner=debian-spamd --socketgroup=debian-spamd --socketmode=0660" -> CRON=1 # sudo vi /etc/spamassassin/local.cf -> report_safe 0 -> required_score 5.0 # sudo systemctl enable spamassassin.service # sudo useradd -G debian-spamd spamass-milter
pdns-recursor
Da die Hetzner-DNS bei einigen Blacklist-Services wegen zu vieler Anfragen gesperrt sind, installieren wir unseren eigenen DNS Recursor.
# sudo aptitude -t jessie-backports install pdns-recursor # sudo vi /etc/powerdns/recursor.conf -> Default config ist soweit ok, ggf. folgendes ändern: -> allow-from=127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10 -> local-address=127.0.0.1
Dann noch für das System aktivieren, so dass Postfix und Spamassassin auch den lokalen DNS nutzen:
# sudo vi /etc/resolv.conf -> In der ersten Zeile hinzufügen: -> nameserver 127.0.0.1 # sudo vi /etc/dhcp/dhclient.conf -> prepend domain-name-servers 127.0.0.1;
Mailman
Für unsere Mailinglisten nutzen wir mailman.
# sudo aptitude install mailman -> languages de,en
Anpassen der mailman config
# sudo vi /etc/mailman/mm_cfg.py DEFAULT_URL_HOST = 'lists.munichmakerlab.de' # Zeile aendern MTA='Postfix' # Auskommentieren
Einbinden in den Apache
# sudo cp /etc/mailman/apache.conf /etc/apache2/sites-available/munichmakerlab.de/lists.conf
# sudo vi /etc/apache2/sites-available/munichmakerlab.de/lists.conf
-> Im Folgenden nur der wichtigste Teil...
<VirtualHost *:80>
ServerName lists.munichmakerlab.de
DocumentRoot /var/www/vhosts/munichmakerlab.de/lists/htdocs
<Directory /var/lib/mailman/archives/>
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/vhosts/munichmakerlab.de/lists/htdocs/>
Options FollowSymLinks
AllowOverride All
</Directory>
Alias /pipermail/ /var/lib/mailman/archives/public/
Alias /images/mailman/ /usr/share/images/mailman/
ScriptAlias /admin /usr/lib/cgi-bin/mailman/admin
ScriptAlias /admindb /usr/lib/cgi-bin/mailman/admindb
ScriptAlias /confirm /usr/lib/cgi-bin/mailman/confirm
ScriptAlias /create /usr/lib/cgi-bin/mailman/create
ScriptAlias /edithtml /usr/lib/cgi-bin/mailman/edithtml
ScriptAlias /listinfo /usr/lib/cgi-bin/mailman/listinfo
ScriptAlias /options /usr/lib/cgi-bin/mailman/options
ScriptAlias /private /usr/lib/cgi-bin/mailman/private
ScriptAlias /rmlist /usr/lib/cgi-bin/mailman/rmlist
ScriptAlias /roster /usr/lib/cgi-bin/mailman/roster
ScriptAlias /subscribe /usr/lib/cgi-bin/mailman/subscribe
ScriptAlias /mailman/ /usr/lib/cgi-bin/mailman/
# ScriptAlias / /usr/lib/cgi-bin/mailman/listinfo
ErrorLog /var/www/vhosts/munichmakerlab.de/www/logs/error.log
LogLevel warn
CustomLog /var/www/vhosts/munichmakerlab.de/www/logs/access.log combined
ServerSignature Off
</VirtualHost>
# cd /etc/apache2/sites-enabled/001-munichmakerlab.de
# sudo ln -s /etc/apache2/sites-available/munichmakerlab.de/lists.conf 003-lists.conf
# cd /etc/apache2/mods-enabled
# sudo ln -s ../mods-available/cgi.load cgi.load
Postfix haben wir oben schon angepasst (eigene Alias-Map).
Default Mailman-Liste erstellen (wird benötigt)
# cd /var/lib/mailman # sudo bin/genaliases # sudo newlist mailman -> mail adden -> pw adden
Sonstiges
Fail2ban
Um Hackangriffe zu mitigieren, setzen wir fail2ban ein. Damit werden z.B. Bruteforce-Attacken auf SSH unterbunden.
# sudo aptitude install fail2ban # cd /etc/fail2ban # sudo cp jail.conf jail.local # sudo vi jail.local -> SSH, Apache und Postfix Jails sollten bereits aktiviert sein bzw. können in den jeweiligen Sektionen mit "enabled = true" aktiviert werden.
Wir fügen dann unser eigenes Jail zum dauerhaften Bannen von IPs hinzu:
# sudo vi jail.local [ip-blacklist] enabled = true banaction = iptables-allports port = anyport filter = ip-blacklist logpath = /etc/fail2ban/ip.blacklist maxretry = 0 findtime = 15552000 bantime = -1 # sudo vi ip.blacklist 116.31.116.48 [02/08/2016 00:00:00] # sudo vi filter.d/ip-blacklist.conf [Definition] # Option: failregex # Notes : Detection of blocked ip addresses. # Values: TEXT # failregex = ^<HOST> \[.*\]$ # Option: ignoreregex # Notes : Regex to ignore. # Values: TEXT # ignoreregex =
Man kann dann jederzeit in der ip.blacklist IP Adressen hinzufügen, und zwar im Format
IP [Datum]
also, z.B.
116.31.116.48 [02/08/2016 00:00:00]
Die IPs werden max. ein halbes Jahr geblacklisted (daher wird der Zeitstempel benötigt>
Danach nie vergessen, fail2ban neu zu starten:
# sudo systemctl restart fail2ban
Logbuch
Severin, 31.5.2018
- SpamAssassin Socket liegt wo anders, angepasst in /etc/default/spamass-milter
OPTIONS="-u spamass-milter -I -i 127.0.0.1 -r 5 -- --socket=/var/run/spamd.sock"
- SpamAssassin auf TCP Socket konfiguriert (/etc/default/spamassassin)
OPTIONS="--create-prefs --max-children 2 --helper-home-dir=/var/lib/spamassassin --nouser-config --username debian-spamd --socketpath=/var/run/spamd.sock --socketowner=debian-spamd --socketgroup=debian-spamd --socketmode=0660 --listen-ip=127.0.0.1 --port 783 --virtual-config-dir=/var/lib/spamassassin/%u.prefs"
- SpamAssassin Mailman Integration von http://www.jamesh.id.au/articles/mailman-spamassassin/ aktiviert in /var/lib/mailman/Mailman/mm_cfg.py
GLOBAL_PIPELINE.insert(1, 'SpamAssassin') SPAMASSASSIN_HOST = "127.0.0.1:783"
- Bayes aktivieren, SpamScore anpassen /etc/spamassassin/local.cf
required_score 10.0 use_bayes 1 bayes_auto_learn 0
- Spam-Filter trainiert, mm_learn in /root konfiguriert
