Implement additional features to next release of EFA?
Posted: 28 Nov 2016 08:51
I'm sharing my-know how to improve EFA. Would you consider doing that in next releases?
With best regards
Installing FAIL2BAN to work with EFA servers:
##################
# INSTALL FAIL 2 BAN
##################
yum install fail2ban
#############
# EDIT jail.conf
#############
vi /etc/fail2ban/jail.conf
# Copy content:
[postfix-tcpwrapper]
enabled = true
port = smtp,465,submission
action = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
filter = postfix
logpath = /var/log/maillog
bantime = -1
[postfix-sasl]
enabled = true
port = smtp,465,submission,imap3,imaps,pop3,pop3s
action = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
filter = postfix-sasl
logpath = /var/log/maillog
maxretry = 3
bantime = -1
# If you wish to release banned IP's after n-time (time is in seconds) change bantime in file: /etc/fail2ban/jail.conf
# For example: 10 hours release, change:
bantime = 36000
# Set notifications of ban list. In file /etc/fail2ban/jail.conf set sender & desteamil
sender = administrator@domain.com
destemail = recipient@domain.com
# Don't forget to restart fail2ban "service"
/etc/init.d/fail2ban restart
# If fail2ban startup is not enabled on linux OS startup run:
chkconfig fail2ban on
# Check command which services are enabled at LINUX startup
chkconfig --list
# Turn off unecessary services (munin-node is like nagios client)
chkconfig munin-node off
# Check what is opened on firewall:
iptables --line -vnL
#####################
# REMOVE BLOCKED IPS
#####################
# List the blocked ip list
iptables --line -vnL
# The line that you wish to remove, use this command:
iptables -D f2b-postfix-tcpwrapper (and number LINE that you wish to delete)
###################################
# Change default location of fail2ban LOGS
###################################
vi /etc/fail2ban/fail2ban.conf
#logtarget = SYSLOG
logtarget = /var/log/fail2ban
/etc/init.d/fail2ban restart
# INSTALL JWHOIS
yum install jwhois
------------------------------------------------------------------------------------------------------------------------------------------
Block Crypto viruses
#Create FOLDER for FILES:
mkdir /opt/efa
mkdir /opt/efa/bin/
############################################
# Blocking CRYPTO VIRUS guys by IP address #
############################################
# download list from ransomwaretracker
wget https://ransomwaretracker.abuse.ch/down ... W_IPBL.txt -O /opt/efa/bin/client_checks
# remove empty line
sed '/^$/d' /opt/efa/bin/client_checks > /opt/efa/bin/client_checks_tmp
# add blocking command for postfix
sed -e 's/$/ REJECT/' /opt/efa/bin/client_checks_tmp > /opt/efa/bin/client_checks
# move file to postfix
mv /opt/efa/bin/client_checks /etc/postfix/
# import file to postfix
/usr/sbin/postmap /etc/postfix/client_checks
#########################################
# Blocking CRYPTO VIRUS by domain names #
#########################################
# download list from ransomwaretracker
wget https://ransomwaretracker.abuse.ch/down ... _DOMBL.txt -O /opt/efa/bin/sender_checks
# remove empty line
sed '/^$/d' /opt/efa/bin/sender_checks > /opt/efa/bin/sender_checks_tmp
# add blocking command for postfix
sed -e 's/$/ REJECT/' /opt/efa/bin/sender_checks_tmp > /opt/efa/bin/sender_checks
# move file to postfix
mv /opt/efa/bin/sender_checks /etc/postfix/
# import file to postfix
/usr/sbin/postmap /etc/postfix/sender_checks
# EDIT MAIN.CF
vi /etc/postfix/main.cf
Delete the hole smtpd_recipient_restrictions line
And copy this:
smtpd_recipient_restrictions = permit_sasl_authenticated,
check_client_access hash:/etc/postfix/client_checks,
check_sender_access hash:/etc/postfix/sender_checks,
permit_mynetworks,
reject_unauth_destination,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
check_recipient_access hash:/etc/postfix/recipient_access,
check_policy_service unix:private/policy,
check_policy_service inet:127.0.0.1:2501
# RESTART POSTFIX
/etc/init.d/postfix restart
# AD script to run in CRON (its the same as TASKSCHEDULER on Windows
# First create new file and copy SCRIPT content to block_rbl_bad_guys.sh:
vi /opt/efa/bin/block_rbl_bad_guys.sh
# SCRIPT STARTS HERE #
############################################
# Blocking CRYPTO VIRUS guys by IP address #
############################################
# download list from ransomwaretracker
wget https://ransomwaretracker.abuse.ch/down ... W_IPBL.txt -O /opt/efa/bin/client_checks
# remove empty line
sed '/^$/d' /opt/efa/bin/client_checks > /opt/efa/bin/client_checks_tmp
# add blocking command for postfix
sed -e 's/$/ REJECT/' /opt/efa/bin/client_checks_tmp > /opt/efa/bin/client_checks
# move file to postfix
mv /opt/efa/bin/client_checks /etc/postfix/
# import file to postfix
/usr/sbin/postmap /etc/postfix/client_checks
#########################################
# Blocking CRYPTO VIRUS by domain names #
#########################################
# download list from ransomwaretracker
wget https://ransomwaretracker.abuse.ch/down ... _DOMBL.txt -O /opt/efa/bin/sender_checks
# remove empty line
sed '/^$/d' /opt/efa/bin/sender_checks > /opt/efa/bin/sender_checks_tmp
# add blocking command for postfix
sed -e 's/$/ REJECT/' /opt/efa/bin/sender_checks_tmp > /opt/efa/bin/sender_checks
# move file to postfix
mv /opt/efa/bin/sender_checks /etc/postfix/
# import file to postfix
/usr/sbin/postmap /etc/postfix/sender_checks
# SCRIPT ENDS HERE #
# ADD PERMISSIONS ON FILE
chmod u+x /etc/postfix/block_rbl_bad_guys.sh
# ADD SCRIPT TO RUN IN CRON
crontab -e
# THIS WILL TRIGGER SCRIPT TO RUN EVERY 2 HOURS
* */2 * * * /opt/efa/bin/block_rbl_bad_buys.sh >/dev/null 2>&1
With best regards
Installing FAIL2BAN to work with EFA servers:
##################
# INSTALL FAIL 2 BAN
##################
yum install fail2ban
#############
# EDIT jail.conf
#############
vi /etc/fail2ban/jail.conf
# Copy content:
[postfix-tcpwrapper]
enabled = true
port = smtp,465,submission
action = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
filter = postfix
logpath = /var/log/maillog
bantime = -1
[postfix-sasl]
enabled = true
port = smtp,465,submission,imap3,imaps,pop3,pop3s
action = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
filter = postfix-sasl
logpath = /var/log/maillog
maxretry = 3
bantime = -1
# If you wish to release banned IP's after n-time (time is in seconds) change bantime in file: /etc/fail2ban/jail.conf
# For example: 10 hours release, change:
bantime = 36000
# Set notifications of ban list. In file /etc/fail2ban/jail.conf set sender & desteamil
sender = administrator@domain.com
destemail = recipient@domain.com
# Don't forget to restart fail2ban "service"
/etc/init.d/fail2ban restart
# If fail2ban startup is not enabled on linux OS startup run:
chkconfig fail2ban on
# Check command which services are enabled at LINUX startup
chkconfig --list
# Turn off unecessary services (munin-node is like nagios client)
chkconfig munin-node off
# Check what is opened on firewall:
iptables --line -vnL
#####################
# REMOVE BLOCKED IPS
#####################
# List the blocked ip list
iptables --line -vnL
# The line that you wish to remove, use this command:
iptables -D f2b-postfix-tcpwrapper (and number LINE that you wish to delete)
###################################
# Change default location of fail2ban LOGS
###################################
vi /etc/fail2ban/fail2ban.conf
#logtarget = SYSLOG
logtarget = /var/log/fail2ban
/etc/init.d/fail2ban restart
# INSTALL JWHOIS
yum install jwhois
------------------------------------------------------------------------------------------------------------------------------------------
Block Crypto viruses
#Create FOLDER for FILES:
mkdir /opt/efa
mkdir /opt/efa/bin/
############################################
# Blocking CRYPTO VIRUS guys by IP address #
############################################
# download list from ransomwaretracker
wget https://ransomwaretracker.abuse.ch/down ... W_IPBL.txt -O /opt/efa/bin/client_checks
# remove empty line
sed '/^$/d' /opt/efa/bin/client_checks > /opt/efa/bin/client_checks_tmp
# add blocking command for postfix
sed -e 's/$/ REJECT/' /opt/efa/bin/client_checks_tmp > /opt/efa/bin/client_checks
# move file to postfix
mv /opt/efa/bin/client_checks /etc/postfix/
# import file to postfix
/usr/sbin/postmap /etc/postfix/client_checks
#########################################
# Blocking CRYPTO VIRUS by domain names #
#########################################
# download list from ransomwaretracker
wget https://ransomwaretracker.abuse.ch/down ... _DOMBL.txt -O /opt/efa/bin/sender_checks
# remove empty line
sed '/^$/d' /opt/efa/bin/sender_checks > /opt/efa/bin/sender_checks_tmp
# add blocking command for postfix
sed -e 's/$/ REJECT/' /opt/efa/bin/sender_checks_tmp > /opt/efa/bin/sender_checks
# move file to postfix
mv /opt/efa/bin/sender_checks /etc/postfix/
# import file to postfix
/usr/sbin/postmap /etc/postfix/sender_checks
# EDIT MAIN.CF
vi /etc/postfix/main.cf
Delete the hole smtpd_recipient_restrictions line
And copy this:
smtpd_recipient_restrictions = permit_sasl_authenticated,
check_client_access hash:/etc/postfix/client_checks,
check_sender_access hash:/etc/postfix/sender_checks,
permit_mynetworks,
reject_unauth_destination,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
check_recipient_access hash:/etc/postfix/recipient_access,
check_policy_service unix:private/policy,
check_policy_service inet:127.0.0.1:2501
# RESTART POSTFIX
/etc/init.d/postfix restart
# AD script to run in CRON (its the same as TASKSCHEDULER on Windows
# First create new file and copy SCRIPT content to block_rbl_bad_guys.sh:
vi /opt/efa/bin/block_rbl_bad_guys.sh
# SCRIPT STARTS HERE #
############################################
# Blocking CRYPTO VIRUS guys by IP address #
############################################
# download list from ransomwaretracker
wget https://ransomwaretracker.abuse.ch/down ... W_IPBL.txt -O /opt/efa/bin/client_checks
# remove empty line
sed '/^$/d' /opt/efa/bin/client_checks > /opt/efa/bin/client_checks_tmp
# add blocking command for postfix
sed -e 's/$/ REJECT/' /opt/efa/bin/client_checks_tmp > /opt/efa/bin/client_checks
# move file to postfix
mv /opt/efa/bin/client_checks /etc/postfix/
# import file to postfix
/usr/sbin/postmap /etc/postfix/client_checks
#########################################
# Blocking CRYPTO VIRUS by domain names #
#########################################
# download list from ransomwaretracker
wget https://ransomwaretracker.abuse.ch/down ... _DOMBL.txt -O /opt/efa/bin/sender_checks
# remove empty line
sed '/^$/d' /opt/efa/bin/sender_checks > /opt/efa/bin/sender_checks_tmp
# add blocking command for postfix
sed -e 's/$/ REJECT/' /opt/efa/bin/sender_checks_tmp > /opt/efa/bin/sender_checks
# move file to postfix
mv /opt/efa/bin/sender_checks /etc/postfix/
# import file to postfix
/usr/sbin/postmap /etc/postfix/sender_checks
# SCRIPT ENDS HERE #
# ADD PERMISSIONS ON FILE
chmod u+x /etc/postfix/block_rbl_bad_guys.sh
# ADD SCRIPT TO RUN IN CRON
crontab -e
# THIS WILL TRIGGER SCRIPT TO RUN EVERY 2 HOURS
* */2 * * * /opt/efa/bin/block_rbl_bad_buys.sh >/dev/null 2>&1