From eed360d3e65bb7cfcdde7457de17873b74193104 Mon Sep 17 00:00:00 2001 From: Chris Blankenship Date: Mon, 25 Apr 2016 19:12:56 -0700 Subject: [PATCH 1/2] Changed UFW from Allow to Limit for inbound connection throttling --- setup/functions.sh | 8 ++++++++ setup/mail-dovecot.sh | 6 +++--- setup/system.sh | 4 ++-- setup/web.sh | 4 ++-- 4 files changed, 15 insertions(+), 7 deletions(-) diff --git a/setup/functions.sh b/setup/functions.sh index 947aa5ab..b08a2382 100644 --- a/setup/functions.sh +++ b/setup/functions.sh @@ -132,6 +132,14 @@ function ufw_allow { fi } +# Adds a limit rule allowing 6 in 30 sec +function ufw_limit { + if [ -z "$DISABLE_FIREWALL" ]; then + # ufw has completely unhelpful output + ufw limit $1 > /dev/null; + fi +} + function restart_service { hide_output service $1 restart } diff --git a/setup/mail-dovecot.sh b/setup/mail-dovecot.sh index e4fbf16f..28c969aa 100755 --- a/setup/mail-dovecot.sh +++ b/setup/mail-dovecot.sh @@ -200,11 +200,11 @@ mkdir -p $STORAGE_ROOT/mail/sieve/global_after chown -R mail.mail $STORAGE_ROOT/mail/sieve # Allow the IMAP/POP ports in the firewall. -ufw_allow imaps -ufw_allow pop3s +ufw_limit imaps +ufw_limit pop3s # Allow the Sieve port in the firewall. -ufw_allow sieve +ufw_limit sieve # Restart services. restart_service dovecot diff --git a/setup/system.sh b/setup/system.sh index cc152524..0c956543 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -229,7 +229,7 @@ if [ -z "$DISABLE_FIREWALL" ]; then apt_install ufw # Allow incoming connections to SSH. - ufw_allow ssh; + ufw_limit ssh; # ssh might be running on an alternate port. Use sshd -T to dump sshd's #NODOC # settings, find the port it is supposedly running on, and open that port #NODOC @@ -239,7 +239,7 @@ if [ -z "$DISABLE_FIREWALL" ]; then if [ "$SSH_PORT" != "22" ]; then echo Opening alternate SSH port $SSH_PORT. #NODOC - ufw_allow $SSH_PORT #NODOC + ufw_limit $SSH_PORT #NODOC fi fi diff --git a/setup/web.sh b/setup/web.sh index 6a412b98..89c3cee6 100755 --- a/setup/web.sh +++ b/setup/web.sh @@ -106,6 +106,6 @@ restart_service nginx restart_service php5-fpm # Open ports. -ufw_allow http -ufw_allow https +ufw_limit http +ufw_limit https From 9eb7e058be72d52cc2c01d0a0fb14783011315a3 Mon Sep 17 00:00:00 2001 From: Chris Blankenship Date: Mon, 25 Apr 2016 21:45:05 -0700 Subject: [PATCH 2/2] Configured dovecot to log to a dedicated file --- setup/mail-dovecot.sh | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/setup/mail-dovecot.sh b/setup/mail-dovecot.sh index 28c969aa..350e5331 100755 --- a/setup/mail-dovecot.sh +++ b/setup/mail-dovecot.sh @@ -38,8 +38,31 @@ apt_install \ # would be 20 users). Set it to 250 times the number of cores this # machine has, so on a two-core machine that's 500 processes/100 users). tools/editconf.py /etc/dovecot/conf.d/10-master.conf \ - default_process_limit=$(echo "`nproc` * 250" | bc) + default_process_limit=$(echo "`nproc` * 250" | bc) \ + log_path = /var/log/dovecot.log +# Set the log file for dovecot to it's own to avoid loading up +# syslog with excessive log events +tools/editconf.py /etc/dovecot/conf.d/10-master.conf \ + log_path = /var/log/dovecot.log + +# Add logrotate entry for dovecot +cat > /etc/dovecot/conf.d/90-plugin-fts.conf << EOF; +/var/log/dovecot*.log { + missingok + notifempty + delaycompress + sharedscripts + postrotate + doveadm log reopen + endscript +} +EOF + +# set ownership and permissions for dovecot log file +chown syslog:adm /var/log/dovecot.log +chmod 640 /var/log/dovecot.log + # The inotify `max_user_instances` default is 128, which constrains # the total number of watched (IMAP IDLE push) folders by open connections. # See http://www.dovecot.org/pipermail/dovecot/2013-March/088834.html.