install and configure policyd on zimbra

Ahmad Imanudin has a nice series of tutorials on installing and configuring policyd on Zimbra.

  1. Install and enable web ui.

How To Install PolicyD on Zimbra 8.5

2. Password protect web ui with .htaccess

Zimbra Tips: How To Protect Policyd WebUI

3. Configure policyd using web ui

Zimbra Tips : How To Configure Rate Limit Sending Message on PolicyD

4. Reject unlisted domain using policyd web ui

Improving Anti Spam : Reject Unlisted Domain On Zimbra 8.5

 

remote desktop (rdp) service on windows 10 home

One of the main differences between Windows 10 Pro and Windows 10 Home is the lack of the remote desktop service for the latter. But thanks to this wonderful project rdp service is not a barrier any more.

We have tested this solution in two different Windows 10 Home machines and it works great.

  • Download RDPWrap-vx.x.zip from https://github.com/binarymaster/rdpwrap/releases/ or click the direct link to the zip file v.1.6.
  • Extract the contents on your windows machine (this solution seems to work for 8.1 home and 8.1 starter – but we have only tested on windows 10). 2015-12-28 18_52_38-RDPWrap-v1.6
  • Right click on install.bat and run it as administrator. 2015-12-28 18_54_24-C__WINDOWS_System32_cmd.exe
  • Run RDPConf and make appropriate changes. Default settings should be ok for testing, but later on we recommend at least to change security settings to Default Authentication. Network Level Authentication is the best choice but refuses connections from older machines (Windows XP). If you want to enable connections from Windows XP, choose Default Authentication. 2015-12-28 18_56_51-RDP Wrapper Configuration
  • Try RDPCheck. If check fails, run update. 2015-12-28 18_57_34-C__WINDOWS_System32_cmd.exe
  • Finally, RDPCheck connects successfully
    Successfull Connection with RDPChack
    Successful Connection with RDPCheck

    .

Example of unsuccessful connection:

2015-12-28 18_56_08-Disconnected 2015-12-28 18_55_35-Local RDP Checker

 

adding exceptions to iwatch

In a previous article, we’ve seen how to install iwatch (http://blog.grs.gr/?p=455&lang=en). If you watch a directory with continuous changes, you may find useful to exclude specific types of files and/or directories.

Let’s say that you want to monitor a web server that hosts example.com, site’s file structure at /var/www/example.com and media files mostly at /var/www/example.com/uploads. Let’s say you want to skip monitoring /var/www/example.com/uploads.

Continue reading “adding exceptions to iwatch”

configuring ossec

useful links, though bit outdated

OSSEC For Website Security: Part I

https://hackertarget.com/defending-wordpress-ossec/

How to add an access log to ossec monitor
# /var/ossec/bin/util.sh addfile /var/log/httpd/somesite.access_log
how to start-stop ossec
service ossec start
service ossec stop
service ossec restart
service ossec status

You might find useful changing this file:

nano /var/ossec/etc/ossec.conf

<!-- Frequency that syscheck is executed - set to every 4 hours -->
<frequency>14400</frequency>

<!-- Directories to check  (perform all possible verifications) -->
<directories realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories realtime="yes" check_all="yes">/bin,/sbin</directories>
<directories realtime="yes" report_changes="yes" restrict=".htaccess|.php|.html|.js">[path to the root of your site]</directories>

<alert_new_files>yes</alert_new_files>
<scan_on_start>no</scan_on_start>
<auto_ignore>no</auto_ignore>

This reduces syscheck frequence to 14400, adds monitoring to site root path and alerts for new files.

To enable alerting for new files, edit

/var/ossec/rules/ossec_rules.xml

Go to rule 554 and change level to 7 like this:

<rule id=”554″ level=”7″>
 <category>ossec</category>
 <decoded_as>syscheck_new_entry</decoded_as>
 <description>File added to the system.</description>
 <group>syscheck,</group>
</rule>

installing ossec on debian

copied from http://ossec.github.io/downloads.html#deb-installation

DEB Installation

To install with apt-get do the following:

Step 1. Install the apt-get repository key:

# apt-key adv --fetch-keys http://ossec.wazuh.com/repos/apt/conf/ossec-key.gpg.key

Step 2. Add the repository for Debian (available distributions are Sid, Jessie and Wheezy):

# echo ‘deb http://ossec.wazuh.com/repos/apt/debian wheezy main’ >> /etc/apt/sources.list

Or add the repository for Ubuntu (available distributions are Precise, Trusty and Utopic):

# echo ‘deb http://ossec.wazuh.com/repos/apt/ubuntu precise main’ >> /etc/apt/sources.list

Step 3. Update the repository:

# apt-get update

Step 4. Install OSSEC HIDS server/manager:

# apt-get install ossec-hids

Or install OSSEC HIDS agent:

# apt-get install ossec-hids-agent

webmin on debian

http://www.webmin.com/deb.html

nano /etc/apt/sources.list

add the following:

deb http://download.webmin.com/download/repository sarge contrib
deb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib

save-exit

Fetch and install webmin GPG key with which the repository is signed, with the commands :

cd /root
wget http://www.webmin.com/jcameron-key.asc
apt-key add jcameron-key.asc

install webmin

apt-get update

apt-get install webmin

Wait for webmin to install – depending on your hardware, can take up to 30′.

Login to webmin as root, or as any user who can use sudo.

 

 

 

 

linux: find all files of a particular size

Copied from: http://www.ducea.com/2008/02/12/linux-tips-find-all-files-of-a-particular-size/

The Unix find command is a very powerful tool, and this short post is intended to show how easy you can achieve something that might look complicate: to find all the files of a particular size. Let’s assume you are searching for all the files of exactly 6579 bytes size inside the home directory. You will just have to run something like:

find /home/ -type f -size 6579c -exec ls {} \;

As units you can use:

  • b – for 512-byte blocks (this is the default if no suffix is used)
  • c – for bytes
  • w – for two-byte words
  • k – for Kilobytes (units of 1024 bytes)
  • M – for Megabytes (units of 1048576 bytes)
  • G – for Gigabytes (units of 1073741824 bytes)

You can search for exact file size, or just for bigger (+) or smaller (–) files. For example all bigger than 512k files would be found with something like:

find /home/ -type f -size +512k -exec ls -lh {} \;

I have added here -lh to the ls output so it will actually show the files with their sizes in a nice human readable format. Similar for smaller files you would use -size -512k.

install iwatch on debian

http://iwatch.sourceforge.net/documentation.html

iWatch is a realtime filesystem monitoring program. Its purpose is to monitor any changes in a specific directory or file and send email notification immediately after the change. This can be very useful to watch a sensible file or directory against any changes, like files /etc/passwd,/etc/shadow or directory /bin or to monitor the root directory of a website against any unwanted changes.

apt-get install iwatch
nano /etc/default/iwatch
iwatch configuration file
# START_DAEMON:
#   should iwatch start the iwatch daemon during boot?
#   change to "true" or "yes" if needed.
START_DAEMON=true
# CONFIG_FILE:
#   configuration file for iwatch daemon
#
CONFIG_FILE=/etc/iwatch/iwatch.xml
nano /etc/iwatch/iwatch.xml

http://serverfault.com/questions/185620/iwatch-doesnt-email-me-or-appear-to-doing-anything

Firstly if you don’t want it to email your local system then change:

<contactpoint email=”[email protected]” name=”Administrator”/>

to

<contactpoint email=”[email protected]” name=”Administrator”/>

If you are ok with that then the next step is check to see if it is running

ps aux | grep iwatch

Then start it with the service command, ie

service iwatch start

Check if it is running again

ps aux | grep iwatch

Now test it out by running

touch /etc/test

And you should get an email, good luck!

Here is a good example of a configuration file

https://github.com/kiwiroy/iwatch/blob/master/iwatch.xml.example

<?xml version=”1.0″ ?>
<!DOCTYPE config SYSTEM “/etc/iwatch.dtd” >

<!– iWatch configuration –>
<!–
You can create several watch lists, each with it’s own contact point
And in this watch list you can put all directories and files you want to monitor
The path type decide how a directory is monitored, recursively or as single
directory. But it will monitor all new created directory (after iwatch
started) recursively regardless of path type.
iWatch will send email alert with guard’s email address as sender
Don’t forget to set the correct email address here
–>

<config charset=”utf-8″>
<guard email=”[email protected]” name=”IWatch”/>
<watchlist>
<title>Public Website</title>
<contactpoint email=”[email protected]” name=”Web Master”/>
<path type=”single” syslog=”on”>/var/www/localhost/htdocs</path>
<path type=”single” syslog=”off”>/var/www/localhost/htdocs/About</path>
<path type=”recursive”>/var/www/localhost/htdocs/Photos</path>
</watchlist>
<watchlist>
<title>Operating System</title>
<contactpoint email=”[email protected]” name=”Administrator”/>
<path type=”recursive”>/etc/apache2</path>
<path type=”single”>/bin</path>
<path type=”single” filter=”shadow|passwd”>/etc</path>
<path type=”recursive”>/etc/mail</path>
<path type=”exception”>/etc/mail/statistics</path>
</watchlist>
<watchlist>
<title>Only Test</title>
<contactpoint email=”[email protected]” name=”Administrator”/>
<path type=”single” alert=”off” exec=”(w;ps)|mail -s %f [email protected]”>/tmp/dir1</path>
<path type=”single” events=”access,close” alert=”off” exec=”(w;ps)|mail -s %f [email protected]”>/tmp/dir2</path>
<path type=”single” events=”default,access” alert=”off” exec=”(w;ps)|mail -s ‘%f is accessed at %{%H:%M:%S}d’ [email protected]”>/tmp/dir3</path>
<path type=”single” events=”all_events” alert=”off”>/tmp/dir4</path>
<path type=”recursive”>/data/projects</path>
<path type=”regexception”>\.svn</path>
</watchlist>