elmau
/
iredmail-doc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

New: fail2ban.sql.html.

This commit is contained in:
Zhang Huangbin 2020-04-15 13:54:43 +08:00
parent fc4953b7df
commit d1c1ea76ac
6 changed files with 644 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

316
en_US/howto/fail2ban.sql.md Normal file
View File

@ -0,0 +1,316 @@
# Fail2ban: Store banned IP addresses in SQL database
[TOC]
## Summary
Since iRedMail-1.2, Fail2ban is configured to store banned IP addresses in
SQL database. If you run iRedAdmin-Pro or your own web admin panel, it will be
very easy to check and manage banned IP addresses. But if you don't run
iRedAdmin-Pro or don't have custom web admin panel, this integration is totally
optional.
With this SQL integration, to unban an IP address from web admin panel, you can
simply update value of column `banned.remove` to `1`, then wait for up to one
minute, a cron job will call `fail2ban-client` to actually unban it.
With iRedAdmin-Pro, you can login as global admin, go to
`Activities -> Banned IP Addresses`, then click the `Unban` button to unban it.
![](./images/iredadmin/activity_banned_ip_addresses.png){: width="900px" }
## How it works
When some client triggers the ban, Fail2ban will perform actions defined in
`action =` parameter in jail config file. For example, in jail `sshd`
(`/etc/fail2ban/jail.d/sshd.local`):
```
[sshd]
enabled = ...
filter = ...
logpath = ...
action = iptables-multiport[name=sshd, port="22", protocol=tcp]
```
Action name `iptables-multipart` maps to commands defined in
`/etc/fail2ban/action.d/iptables-multiport.conf` for different fail2ban actions.
For example:
```
[Definition]
# Notes.: command executed once at the start of Fail2Ban.
actionstart = ...
# Notes.: command executed once at the end of Fail2Ban
actionstop = ...
# Notes.: command executed once before each actionban command
actioncheck = ...
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
actionban = ...
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
```
In this tutorial, we will add a custom action config file and update jail
config files to use this action.
## Create required SQL database
### For OpenLDAP backend and MySQL/MariaDB backends
We will create a new database named `fail2ban` to store banned IP addresses,
also a SQL user `fail2ban`.
* Run commands below as `root` user:
```
cd /tmp
wget https://github.com/iredmail/iRedMail/raw/1.2/samples/fail2ban/sql/fail2ban.mysql
```
* Run __SQL commands__ below as __MySQL `root` user__:
!!! warning
Please replace `<my-secret-password>` by your own strong password.
```
CREATE DATABASE fail2ban DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci;
GRANT ALL ON fail2ban.* TO 'fail2ban'@'localhost' IDENTIFIED BY '<my-secret-password>';
USE fail2ban;
SOURCE /tmp/fail2ban.mysql;
```
* Create required file: `/root/.my.cnf-fail2ban`. Script will read MySQL
credential from this file instead of storing plain password in script.
```
[client]
host="127.0.0.1"
port="3306"
user="fail2ban"
password="<my-secret-password>"
```
### For PostgreSQL backend
We will create a new database named `fail2ban` to store banned IP addresses,
also a SQL user `fail2ban`.
* Run commands below as `root` user, then switch to PostgreSQL daemon user
`postgres` and connect to SQL server:
```
cd /tmp
wget https://github.com/iredmail/iRedMail/raw/1.2/samples/fail2ban/sql/fail2ban.pgsql
su - postgres
psql -d template1
```
* Run __SQL commands__ below:
!!! warning
Please replace `<my-secret-password>` by your own strong password.
```
CREATE DATABASE fail2ban WITH TEMPLATE template0 ENCODING 'UTF8';
CREATE USER fail2ban WITH ENCRYPTED PASSWORD '<my-secret-password>' NOSUPERUSER NOCREATEDB NOCREATEROLE;
ALTER DATABASE fail2ban OWNER TO fail2ban;
-- PostgreSQL will prompt to input password for user "fail2ban" with command below.
\c fail2ban fail2ban;
\i /tmp/fail2ban.pgsql;
```
* Now append line below to file `~/.pgpass` under PostgreSQL daemon user's
HOME directory. Script will read SQL credential from this file.
```
*:*:*:fail2ban:<my-secret-password>
```
## Add required Fail2ban config file and script
On Linux, run commands below as `root` user:
```
wget https://github.com/iredmail/iRedMail/raw/1.2/samples/fail2ban/action.d/banned_db.conf
mv banned_db.conf /etc/fail2ban/action.d/
wget https://github.com/iredmail/iRedMail/raw/1.2/samples/fail2ban/bin/fail2ban_banned_db
mv fail2ban_banned_db /usr/local/bin/
chmod 0550 /usr/local/bin/fail2ban_banned_db
```
File `/etc/fail2ban/action.d/banned_db.conf` indicates we now have a new action
named `banned_db` (it's file name without extension). Feel free to open this
file and check what it does.
Script `/usr/local/bin/fail2ban_banned_db` will read `/root/.my.cnf-fail2ban`
(OpenLDAP/MySQL/MariaDB backends) or `~postgresql/.pgpass` (PostgreSQL backend)
to read SQL credential.
## Enable the new action `banned_db`
Now go to `/etc/fail2ban/jail.d/` and update config files for the jails you
want to store banned IP in SQL db. Let's take `sshd.local` for example.
* The `action =` line in original file looks like this:
```
[sshd]
...
action = iptables-multiport[name=sshd, port="22", protocol=tcp]
```
* Add our new action under existing action:
```
[sshd]
...
action = iptables-multiport[name=sshd, port="22", protocol=tcp]
banned_db[name=sshd, port="22", protocol=tcp]
```
That's it. It's recommend to enable this new action `banned_db` for all jails.
Now restart `fail2ban` service to load modified config files.
## Add required cron job to query SQL database and unban IP addresses
Now add a cron job for `root` user:
```
* * * * * /bin/bash /usr/local/bin/fail2ban_banned_db unban_db
```
It runs every minute and query SQL database to get IP addresses which are
pending for removal.
## Optional: Add GeoIP database to look up location of banned IP address
Script `/usr/local/bin/fail2ban_banned_db` detects whether commands
`geoiplookup` and `geoiplookup6` exist, if exist, it runs the command to query
country of banned IP address and store it in SQL database.
* On RHEL/CentOS 7:
```
yum -y install GeoIP GeoIP-data
```
* On RHEL/CentOS 8:
```
yum -y install GeoIP GeoIP-GeoLite-data
```
* On Debian/Ubuntu:
```
apt -y install geoip-bin geoip-database
```
* On OpenBSD 6.6:
```
pkg_add GeoIP geolite-country
```
## Tests
!!! attention
We use MySQL for example here.
Run `fail2ban-client` command as `root` user to ban 2 IP addresses like below:
```
fail2ban-client set sshd banip 1.1.1.1
fail2ban-client set sshd banip 1.1.1.2
```
You can see the banned IP address with command `fail2ban-client status <jail>`:
```
fail2ban-client status sshd
```
Command output:
```
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: ...
`- Actions
|- Currently banned: 2
|- Total banned: 2
`- Banned IP list: 1.1.1.2 1.1.1.1
```
Now run command below to query SQL table `fail2ban.banned` as `root` user:
```
mysql fail2ban -e "SELECT * FROM banned"
```
You should see the command output like below:
```
+----+---------+-------+----------+------+------------------+---------------+---------------------+--------+
| id | ip | ports | protocol | jail | hostname | country | timestamp | remove |
+----+---------+-------+----------+------+------------------+---------------+---------------------+--------+
| 3 | 1.1.1.1 | 22 | tcp | sshd | ob66.localdomain | AU, Australia | 2020-04-15 13:34:57 | 0 |
| 4 | 1.1.1.2 | 22 | tcp | sshd | ob66.localdomain | AU, Australia | 2020-04-15 13:34:58 | 0 |
+----+---------+-------+----------+------+------------------+---------------+---------------------+--------+
```
Now run `fail2ban-client` command to unban IP and query SQL table
`fail2ban.banned` again, you should see unbanned IP is gone:
```
fail2ban-client set sshd unbanip 1.1.1.1
```
Now run command as `root` user to update SQL column `banned.remove=1` to
simulate the unban triggered by iRedAdmin-Pro:
```
mysql fail2ban -e "UPDATE banned SET remove=1 WHERE ip='1.1.1.2'"
```
Run script `/usr/local/bin/fail2ban_banned_db` with argument `unban_db` as `root` user:
```
/usr/local/bin/fail2ban_banned_db unbandb
```
Again, query SQL table `fail2ban.banned` as `root` user, you should see the IP
stored in SQL db with `remove=1` is gone, and unbanned in fail2ban too:
```
mysql fail2ban -e "SELECT * FROM banned"
fail2ban-client status sshd
```
## Troubleshooting
If there's something, you should see related log in syslog log file or Fail2ban
log file:
- syslog: `/var/log/syslog` or `/var/log/messages`
- Fail2ban: `/var/log/fail2ban.log` or `/var/log/fail2ban/fail2ban.log`
If you can not solve the error, feel free to create a new
[forum topic](https://forum.iredmail.org) and paste related log in your post.

11
en_US/howto/manage.iredapd.md
View File

@ -27,24 +27,25 @@ To disable iRedAPD service:
## How to enable or disable iRedAPD plugins
iRedAPD plugin is Python file under `/opt/iredapd/plugins/` directory. To
iRedAPD plugins are Python files under `/opt/iredapd/plugins/` directory. To
enable a plugin, please find line `plugins =` in iRedAPD config file
`/opt/iredapd/settings.py`, for example:
```
plugins = ['reject_null_sender', 'amavisd_wblist', 'greylisting', 'throttle']
plugins = ['greylisting', 'throttle']
```
If you want to enable plugin `reject_sender_login_mismatch` (file
`/opt/iredapd/plugins/reject_sender_login_mismatch.py`), please add the plugin
name in `plugins =` like below, and restart iRedAPD service:
name without extension `.py` in `plugins =` like below, then restart iRedAPD
service:
```
plugins = ['reject_null_sender', 'amavisd_wblist', 'greylisting', 'throttle', 'reject_sender_login_mismatch']
plugins = ['greylisting', 'throttle', 'reject_sender_login_mismatch']
```
The priorities of plugins shipped in iRedAPD are hard-coded, so the order of
plugin name in `plugins =` doesn't matter.
plugin names doesn't matter.
To disable a plugin, just remove the plugin name and restart iRedAPD service.

315
html/fail2ban.sql.html Normal file
View File

@ -0,0 +1,315 @@
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Fail2ban: Store banned IP addresses in SQL database</title>
<link rel="stylesheet" type="text/css" href="./css/markdown.css" />
</head>
<body>
<div id="navigation">
<a href="https://www.iredmail.org" target="_blank">
<img alt="iRedMail web site"
src="./images/logo-iredmail.png"
style="vertical-align: middle; height: 30px;"
/>&nbsp;
<span>iRedMail</span>
</a>
&nbsp;&nbsp;//&nbsp;&nbsp;<a href="./index.html">Document Index</a></div><h1 id="fail2ban-store-banned-ip-addresses-in-sql-database">Fail2ban: Store banned IP addresses in SQL database</h1>
<div class="toc">
<ul>
<li><a href="#fail2ban-store-banned-ip-addresses-in-sql-database">Fail2ban: Store banned IP addresses in SQL database</a><ul>
<li><a href="#summary">Summary</a></li>
<li><a href="#how-it-works">How it works</a></li>
<li><a href="#create-required-sql-database">Create required SQL database</a><ul>
<li><a href="#for-openldap-backend-and-mysqlmariadb-backends">For OpenLDAP backend and MySQL/MariaDB backends</a></li>
<li><a href="#for-postgresql-backend">For PostgreSQL backend</a></li>
</ul>
</li>
<li><a href="#add-required-fail2ban-config-file-and-script">Add required Fail2ban config file and script</a></li>
<li><a href="#enable-the-new-action-banned_db">Enable the new action banned_db</a></li>
<li><a href="#add-required-cron-job-to-query-sql-database-and-unban-ip-addresses">Add required cron job to query SQL database and unban IP addresses</a></li>
<li><a href="#optional-add-geoip-database-to-look-up-location-of-banned-ip-address">Optional: Add GeoIP database to look up location of banned IP address</a></li>
<li><a href="#tests">Tests</a></li>
<li><a href="#troubleshooting">Troubleshooting</a></li>
</ul>
</li>
</ul>
</div>
<h2 id="summary">Summary</h2>
<p>Since iRedMail-1.2, Fail2ban is configured to store banned IP addresses in
SQL database. If you run iRedAdmin-Pro or your own web admin panel, it will be
very easy to check and manage banned IP addresses. But if you don't run
iRedAdmin-Pro or don't have custom web admin panel, this integration is totally
optional.</p>
<p>With this SQL integration, to unban an IP address from web admin panel, you can
simply update value of column <code>banned.remove</code> to <code>1</code>, then wait for up to one
minute, a cron job will call <code>fail2ban-client</code> to actually unban it.</p>
<p>With iRedAdmin-Pro, you can login as global admin, go to
<code>Activities -&gt; Banned IP Addresses</code>, then click the <code>Unban</code> button to unban it.</p>
<p><img alt="" src="./images/iredadmin/activity_banned_ip_addresses.png" width="900px" /></p>
<h2 id="how-it-works">How it works</h2>
<p>When some client triggers the ban, Fail2ban will perform actions defined in
<code>action =</code> parameter in jail config file. For example, in jail <code>sshd</code>
(<code>/etc/fail2ban/jail.d/sshd.local</code>):</p>
<pre><code>[sshd]
enabled = ...
filter = ...
logpath = ...
action = iptables-multiport[name=sshd, port=&quot;22&quot;, protocol=tcp]
</code></pre>
<p>Action name <code>iptables-multipart</code> maps to commands defined in
<code>/etc/fail2ban/action.d/iptables-multiport.conf</code> for different fail2ban actions.
For example:</p>
<pre><code>[Definition]
# Notes.: command executed once at the start of Fail2Ban.
actionstart = ...
# Notes.: command executed once at the end of Fail2Ban
actionstop = ...
# Notes.: command executed once before each actionban command
actioncheck = ...
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
actionban = ...
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
actionunban = &lt;iptables&gt; -D f2b-&lt;name&gt; -s &lt;ip&gt; -j &lt;blocktype&gt;
</code></pre>
<p>In this tutorial, we will add a custom action config file and update jail
config files to use this action.</p>
<h2 id="create-required-sql-database">Create required SQL database</h2>
<h3 id="for-openldap-backend-and-mysqlmariadb-backends">For OpenLDAP backend and MySQL/MariaDB backends</h3>
<p>We will create a new database named <code>fail2ban</code> to store banned IP addresses,
also a SQL user <code>fail2ban</code>.</p>
<ul>
<li>Run commands below as <code>root</code> user:</li>
</ul>
<pre><code>cd /tmp
wget https://github.com/iredmail/iRedMail/raw/1.2/samples/fail2ban/sql/fail2ban.mysql
</code></pre>
<ul>
<li>
<p>Run <strong>SQL commands</strong> below as <strong>MySQL <code>root</code> user</strong>:</p>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>Please replace <code>&lt;my-secret-password&gt;</code> by your own strong password.</p>
</div>
</li>
</ul>
<pre><code>CREATE DATABASE fail2ban DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci;
GRANT ALL ON fail2ban.* TO 'fail2ban'@'localhost' IDENTIFIED BY '&lt;my-secret-password&gt;';
USE fail2ban;
SOURCE /tmp/fail2ban.mysql;
</code></pre>
<ul>
<li>Create required file: <code>/root/.my.cnf-fail2ban</code>. Script will read MySQL
credential from this file instead of storing plain password in script.</li>
</ul>
<pre><code>[client]
host=&quot;127.0.0.1&quot;
port=&quot;3306&quot;
user=&quot;fail2ban&quot;
password=&quot;&lt;my-secret-password&gt;&quot;
</code></pre>
<h3 id="for-postgresql-backend">For PostgreSQL backend</h3>
<p>We will create a new database named <code>fail2ban</code> to store banned IP addresses,
also a SQL user <code>fail2ban</code>.</p>
<ul>
<li>Run commands below as <code>root</code> user, then switch to PostgreSQL daemon user
<code>postgres</code> and connect to SQL server:</li>
</ul>
<pre><code>cd /tmp
wget https://github.com/iredmail/iRedMail/raw/1.2/samples/fail2ban/sql/fail2ban.pgsql
su - postgres
psql -d template1
</code></pre>
<ul>
<li>
<p>Run <strong>SQL commands</strong> below:</p>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>Please replace <code>&lt;my-secret-password&gt;</code> by your own strong password.</p>
</div>
</li>
</ul>
<pre><code>CREATE DATABASE fail2ban WITH TEMPLATE template0 ENCODING 'UTF8';
CREATE USER fail2ban WITH ENCRYPTED PASSWORD '&lt;my-secret-password&gt;' NOSUPERUSER NOCREATEDB NOCREATEROLE;
ALTER DATABASE fail2ban OWNER TO fail2ban;
-- PostgreSQL will prompt to input password for user &quot;fail2ban&quot; with command below.
\c fail2ban fail2ban;
\i /tmp/fail2ban.pgsql;
</code></pre>
<ul>
<li>Now append line below to file <code>~/.pgpass</code> under PostgreSQL daemon user's
HOME directory. Script will read SQL credential from this file.</li>
</ul>
<pre><code>*:*:*:fail2ban:&lt;my-secret-password&gt;
</code></pre>
<h2 id="add-required-fail2ban-config-file-and-script">Add required Fail2ban config file and script</h2>
<p>On Linux, run commands below as <code>root</code> user:</p>
<pre><code>wget https://github.com/iredmail/iRedMail/raw/1.2/samples/fail2ban/action.d/banned_db.conf
mv banned_db.conf /etc/fail2ban/action.d/
wget https://github.com/iredmail/iRedMail/raw/1.2/samples/fail2ban/bin/fail2ban_banned_db
mv fail2ban_banned_db /usr/local/bin/
chmod 0550 /usr/local/bin/fail2ban_banned_db
</code></pre>
<p>File <code>/etc/fail2ban/action.d/banned_db.conf</code> indicates we now have a new action
named <code>banned_db</code> (it's file name without extension). Feel free to open this
file and check what it does.</p>
<p>Script <code>/usr/local/bin/fail2ban_banned_db</code> will read <code>/root/.my.cnf-fail2ban</code>
(OpenLDAP/MySQL/MariaDB backends) or <code>~postgresql/.pgpass</code> (PostgreSQL backend)
to read SQL credential.</p>
<h2 id="enable-the-new-action-banned_db">Enable the new action <code>banned_db</code></h2>
<p>Now go to <code>/etc/fail2ban/jail.d/</code> and update config files for the jails you
want to store banned IP in SQL db. Let's take <code>sshd.local</code> for example.</p>
<ul>
<li>The <code>action =</code> line in original file looks like this:</li>
</ul>
<pre><code>[sshd]
...
action = iptables-multiport[name=sshd, port=&quot;22&quot;, protocol=tcp]
</code></pre>
<ul>
<li>Add our new action under existing action:</li>
</ul>
<pre><code>[sshd]
...
action = iptables-multiport[name=sshd, port=&quot;22&quot;, protocol=tcp]
banned_db[name=sshd, port=&quot;22&quot;, protocol=tcp]
</code></pre>
<p>That's it. It's recommend to enable this new action <code>banned_db</code> for all jails.</p>
<p>Now restart <code>fail2ban</code> service to load modified config files.</p>
<h2 id="add-required-cron-job-to-query-sql-database-and-unban-ip-addresses">Add required cron job to query SQL database and unban IP addresses</h2>
<p>Now add a cron job for <code>root</code> user:</p>
<pre><code>* * * * * /bin/bash /usr/local/bin/fail2ban_banned_db unban_db
</code></pre>
<p>It runs every minute and query SQL database to get IP addresses which are
pending for removal.</p>
<h2 id="optional-add-geoip-database-to-look-up-location-of-banned-ip-address">Optional: Add GeoIP database to look up location of banned IP address</h2>
<p>Script <code>/usr/local/bin/fail2ban_banned_db</code> detects whether commands
<code>geoiplookup</code> and <code>geoiplookup6</code> exist, if exist, it runs the command to query
country of banned IP address and store it in SQL database.</p>
<ul>
<li>On RHEL/CentOS 7:</li>
</ul>
<pre><code>yum -y install GeoIP GeoIP-data
</code></pre>
<ul>
<li>On RHEL/CentOS 8:</li>
</ul>
<pre><code>yum -y install GeoIP GeoIP-GeoLite-data
</code></pre>
<ul>
<li>On Debian/Ubuntu:</li>
</ul>
<pre><code>apt -y install geoip-bin geoip-database
</code></pre>
<ul>
<li>On OpenBSD 6.6:</li>
</ul>
<pre><code>pkg_add GeoIP geolite-country
</code></pre>
<h2 id="tests">Tests</h2>
<div class="admonition attention">
<p class="admonition-title">Attention</p>
<p>We use MySQL for example here.</p>
</div>
<p>Run <code>fail2ban-client</code> command as <code>root</code> user to ban 2 IP addresses like below:</p>
<pre><code>fail2ban-client set sshd banip 1.1.1.1
fail2ban-client set sshd banip 1.1.1.2
</code></pre>
<p>You can see the banned IP address with command <code>fail2ban-client status &lt;jail&gt;</code>:</p>
<pre><code>fail2ban-client status sshd
</code></pre>
<p>Command output:</p>
<pre><code>Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: ...
`- Actions
|- Currently banned: 2
|- Total banned: 2
`- Banned IP list: 1.1.1.2 1.1.1.1
</code></pre>
<p>Now run command below to query SQL table <code>fail2ban.banned</code> as <code>root</code> user:</p>
<pre><code>mysql fail2ban -e &quot;SELECT * FROM banned&quot;
</code></pre>
<p>You should see the command output like below:</p>
<pre><code>+----+---------+-------+----------+------+------------------+---------------+---------------------+--------+
| id | ip | ports | protocol | jail | hostname | country | timestamp | remove |
+----+---------+-------+----------+------+------------------+---------------+---------------------+--------+
| 3 | 1.1.1.1 | 22 | tcp | sshd | ob66.localdomain | AU, Australia | 2020-04-15 13:34:57 | 0 |
| 4 | 1.1.1.2 | 22 | tcp | sshd | ob66.localdomain | AU, Australia | 2020-04-15 13:34:58 | 0 |
+----+---------+-------+----------+------+------------------+---------------+---------------------+--------+
</code></pre>
<p>Now run <code>fail2ban-client</code> command to unban IP and query SQL table
<code>fail2ban.banned</code> again, you should see unbanned IP is gone:</p>
<pre><code>fail2ban-client set sshd unbanip 1.1.1.1
</code></pre>
<p>Now run command as <code>root</code> user to update SQL column <code>banned.remove=1</code> to
simulate the unban triggered by iRedAdmin-Pro:</p>
<pre><code>mysql fail2ban -e &quot;UPDATE banned SET remove=1 WHERE ip='1.1.1.2'&quot;
</code></pre>
<p>Run script <code>/usr/local/bin/fail2ban_banned_db</code> with argument <code>unban_db</code> as <code>root</code> user:</p>
<pre><code>/usr/local/bin/fail2ban_banned_db unbandb
</code></pre>
<p>Again, query SQL table <code>fail2ban.banned</code> as <code>root</code> user, you should see the IP
stored in SQL db with <code>remove=1</code> is gone, and unbanned in fail2ban too:</p>
<pre><code>mysql fail2ban -e &quot;SELECT * FROM banned&quot;
fail2ban-client status sshd
</code></pre>
<h2 id="troubleshooting">Troubleshooting</h2>
<p>If there's something, you should see related log in syslog log file or Fail2ban
log file:</p>
<ul>
<li>syslog: <code>/var/log/syslog</code> or <code>/var/log/messages</code></li>
<li>Fail2ban: <code>/var/log/fail2ban.log</code> or <code>/var/log/fail2ban/fail2ban.log</code></li>
</ul>
<p>If you can not solve the error, feel free to create a new
<a href="https://forum.iredmail.org">forum topic</a> and paste related log in your post.</p><div class="footer">
<p style="text-align: center; color: grey;">All documents are available in <a href="https://github.com/iredmail/docs/">GitHub repository</a>, and published under <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">Creative Commons</a> license. You can <a href="https://github.com/iredmail/docs/archive/master.zip">download the latest version</a> for offline reading. If you found something wrong, please do <a href="https://www.iredmail.org/contact.html">contact us</a> to fix it.</p>
</div>
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-3293801-21"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'UA-3293801-21');
</script>
</body></html>

BIN
html/images/iredadmin/activity_banned_ip_addresses.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 162 KiB

1
html/index.html
View File

@ -118,6 +118,7 @@
<li><a href="dovecot.master.user.html">Dovecot Master User: Access user's mailbox without owner's password.</a></li>
<li><a href="enable.dnsbl.html">Enable DNSBL service in Postfix to reduce spam</a></li>
<li><a href="enable.postscreen.html">Enable postscreen service</a></li>
<li><a href="fail2ban.sql.html">Fail2ban: Store banned IP addresses in SQL database</a></li>
<li><a href="force.user.to.change.password.html">Force mail user to change password in 90 days</a></li>
<li><a href="ignore.trash.folder.in.quota.html">Ignore Trash folder in mailbox quota</a></li>
<li><a href="ldap.add.alias.domain.html">LDAP: Add an alias domain</a></li>

11
html/manage.iredapd.html
View File

@ -71,20 +71,21 @@ user <code>iredapd</code>.</p>
<li>Disable iredapd service.</li>
</ol>
<h2 id="how-to-enable-or-disable-iredapd-plugins">How to enable or disable iRedAPD plugins</h2>
<p>iRedAPD plugin is Python file under <code>/opt/iredapd/plugins/</code> directory. To
<p>iRedAPD plugins are Python files under <code>/opt/iredapd/plugins/</code> directory. To
enable a plugin, please find line <code>plugins =</code> in iRedAPD config file
<code>/opt/iredapd/settings.py</code>, for example:</p>
<pre><code>plugins = ['reject_null_sender', 'amavisd_wblist', 'greylisting', 'throttle']
<pre><code>plugins = ['greylisting', 'throttle']
</code></pre>
<p>If you want to enable plugin <code>reject_sender_login_mismatch</code> (file
<code>/opt/iredapd/plugins/reject_sender_login_mismatch.py</code>), please add the plugin
name in <code>plugins =</code> like below, and restart iRedAPD service:</p>
<pre><code>plugins = ['reject_null_sender', 'amavisd_wblist', 'greylisting', 'throttle', 'reject_sender_login_mismatch']
name without extension <code>.py</code> in <code>plugins =</code> like below, then restart iRedAPD
service:</p>
<pre><code>plugins = ['greylisting', 'throttle', 'reject_sender_login_mismatch']
</code></pre>
<p>The priorities of plugins shipped in iRedAPD are hard-coded, so the order of
plugin name in <code>plugins =</code> doesn't matter.</p>
plugin names doesn't matter.</p>
<p>To disable a plugin, just remove the plugin name and restart iRedAPD service.</p>
<h2 id="how-to-add-custom-settings">How to add custom settings</h2>
<p>iRedAPD has some default settings in file