2
0
Эх сурвалжийг харах

New index, Fail2ban setup

andryyy 8 жил өмнө
parent
commit
7676fe2dd2

+ 78 - 0
docs/first_steps.md

@@ -158,6 +158,84 @@ docker-compose exec postfix-mailcow chmod 660 /opt/postfix/conf/smarthost_passwd
 docker-compose exec postfix-mailcow postfix reload
 docker-compose exec postfix-mailcow postfix reload
 ```
 ```
 
 
+## Optional: Log to Syslog
+
+Enable Rsyslog to receive logs on 524/tcp:
+
+```
+# This setting depends on your Rsyslog version and configuration format.
+# For most Debian derivates it will work like this...
+$ModLoad imtcp
+$TCPServerAddress 127.0.0.1
+$InputTCPServerRun 524
+
+# ...while for Ubuntu 16.04 it looks like this:
+module(load="imtcp")
+input(type="imtcp" address="127.0.0.1" port="524")
+
+# No matter your Rsyslog version, you should set this option to off
+# if you plan to use Fail2ban
+$RepeatedMsgReduction off
+```
+
+Restart rsyslog after enabling the TCP listener.
+
+Now setup Docker daemon to start with the syslog driver.
+This enables the syslog driver for all containers!
+
+Debian users can change the startup configuration in `/etc/default/docker` while CentOS users find it in `/etc/sysconfig/docker`:
+```
+...
+DOCKER_OPTS="--log-driver=syslog --log-opt syslog-address=tcp://127.0.0.1:524"
+...
+```
+
+**Caution:** For some reason Ubuntu 16.04 and some, but not all, systemd based distros do not read the defaults file parameters.
+
+Just run `systemctl edit docker.service` and add the following content to fix it.
+
+**Note:** If "systemctl edit" is not available, just copy the content to `/etc/systemd/system/docker.service.d/override.conf`.
+
+The first empty ExecStart parameter is not a mistake.
+
+```
+[Service]
+EnvironmentFile=/etc/default/docker
+ExecStart=
+ExecStart=/usr/bin/docker daemon -H fd:// $DOCKER_OPTS
+```
+
+Restart the Docker daemon and run `docker-compose down && docker-compose up -d` to recreate the containers.
+
+### Use Fail2ban
+
+**This is a subsection of "Log to Syslog", which is required for Fail2ban to work.**
+
+Open `/etc/fail2ban/filter.d/common.conf` and search for the prefix_line parameter, change it to ".*":
+
+```
+__prefix_line = .*
+```
+
+Create `/etc/fail2ban/jail.d/dovecot.conf`...
+```
+[dovecot]
+enabled = true
+filter  = dovecot
+logpath = /var/log/syslog
+chain = FORWARD
+```
+
+and `jail.d/postfix-sasl.conf`:
+```
+[postfix-sasl]
+enabled = true
+filter  = postfix-sasl
+logpath = /var/log/syslog
+chain = FORWARD
+```
+
+Restart Fail2ban.
 
 
 ## Install a local MTA
 ## Install a local MTA
 
 

+ 4 - 1
docs/index.md

@@ -1,6 +1,8 @@
 # mailcow: dockerized - 🐮 + 🐋 = 💕
 # mailcow: dockerized - 🐮 + 🐋 = 💕
 
 
-[![Donate](https://img.shields.io/badge/Donate-PayPal-green.svg)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=JWBSYHF4SMC68)
+[![Servercow](https://www.servercow.de/img/cow_globe_200.svg)](https://www.servercow.de)
+
+If you want to support mailcow, consider hosting mailcow on a Servercow virtual machine @ Servercow!
 
 
 ## Screenshots
 ## Screenshots
 
 
@@ -30,6 +32,7 @@ mailcow dockerized comes with **11 containers** linked in **one bridged network*
 - mysql-vol-1
 - mysql-vol-1
 - rspamd-vol-1
 - rspamd-vol-1
 - postfix-vol-1
 - postfix-vol-1
+- crypt-vol-1
 
 
 The integrated **mailcow UI** allows administrative work on your mail server instance as well as separated domain administrator and mailbox user access:
 The integrated **mailcow UI** allows administrative work on your mail server instance as well as separated domain administrator and mailbox user access: