New index, Fail2ban setup

master
andryyy 2017-04-20 21:12:59 +02:00
parent 01bcc5e653
commit 7676fe2dd2
2 changed files with 82 additions and 1 deletions

View File

@ -158,6 +158,84 @@ docker-compose exec postfix-mailcow chmod 660 /opt/postfix/conf/smarthost_passwd
docker-compose exec postfix-mailcow postfix reload
```
## Optional: Log to Syslog
Enable Rsyslog to receive logs on 524/tcp:
```
# This setting depends on your Rsyslog version and configuration format.
# For most Debian derivates it will work like this...
$ModLoad imtcp
$TCPServerAddress 127.0.0.1
$InputTCPServerRun 524
# ...while for Ubuntu 16.04 it looks like this:
module(load="imtcp")
input(type="imtcp" address="127.0.0.1" port="524")
# No matter your Rsyslog version, you should set this option to off
# if you plan to use Fail2ban
$RepeatedMsgReduction off
```
Restart rsyslog after enabling the TCP listener.
Now setup Docker daemon to start with the syslog driver.
This enables the syslog driver for all containers!
Debian users can change the startup configuration in `/etc/default/docker` while CentOS users find it in `/etc/sysconfig/docker`:
```
...
DOCKER_OPTS="--log-driver=syslog --log-opt syslog-address=tcp://127.0.0.1:524"
...
```
**Caution:** For some reason Ubuntu 16.04 and some, but not all, systemd based distros do not read the defaults file parameters.
Just run `systemctl edit docker.service` and add the following content to fix it.
**Note:** If "systemctl edit" is not available, just copy the content to `/etc/systemd/system/docker.service.d/override.conf`.
The first empty ExecStart parameter is not a mistake.
```
[Service]
EnvironmentFile=/etc/default/docker
ExecStart=
ExecStart=/usr/bin/docker daemon -H fd:// $DOCKER_OPTS
```
Restart the Docker daemon and run `docker-compose down && docker-compose up -d` to recreate the containers.
### Use Fail2ban
**This is a subsection of "Log to Syslog", which is required for Fail2ban to work.**
Open `/etc/fail2ban/filter.d/common.conf` and search for the prefix_line parameter, change it to ".*":
```
__prefix_line = .*
```
Create `/etc/fail2ban/jail.d/dovecot.conf`...
```
[dovecot]
enabled = true
filter = dovecot
logpath = /var/log/syslog
chain = FORWARD
```
and `jail.d/postfix-sasl.conf`:
```
[postfix-sasl]
enabled = true
filter = postfix-sasl
logpath = /var/log/syslog
chain = FORWARD
```
Restart Fail2ban.
## Install a local MTA

View File

@ -1,6 +1,8 @@
# mailcow: dockerized - 🐮 + 🐋 = 💕
[![Donate](https://img.shields.io/badge/Donate-PayPal-green.svg)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=JWBSYHF4SMC68)
[![Servercow](https://www.servercow.de/img/cow_globe_200.svg)](https://www.servercow.de)
If you want to support mailcow, consider hosting mailcow on a Servercow virtual machine @ Servercow!
## Screenshots
@ -30,6 +32,7 @@ mailcow dockerized comes with **11 containers** linked in **one bridged network*
- mysql-vol-1
- rspamd-vol-1
- postfix-vol-1
- crypt-vol-1
The integrated **mailcow UI** allows administrative work on your mail server instance as well as separated domain administrator and mailbox user access: