What the subject says. I have an user who logs in using SSH through a provider that gives him a dynamic IP from a pool; all of their IPs map to static.hostingprovider.name, but that name doesn't resolve back to the same IP address.
SSH detects this and spits out the message "POSSIBLE BREAK-IN ATTEMPT", which triggers the failregex. I want to add an exception so that, if the connection attempt comes from static.hostingprovider.name, it ignores the warning. If I just add static.hostingprovider.name to the ignoreregex list, will it simply work?
In your jail.local file add this line:
ignoreip = static.hostingprovider.name
Related
What is the preferred way to validate requested DICOM connection against a list of known hosts?
I can connect to the EVT_CONN_OPEN event. But in that, the event.assoc.requestor.info.ae_title element is always empty (b'').
I see from a TCP network analysis, that the name is transmitted. So, where is it?
What is the right way to validate the requesting host?
You could try using EVT_REQUESTED instead, it gets triggered after an association request is received/sent and the AE title information should be available at that point. Unfortunately EVT_CONN_OPEN is triggered on TCP connection which occurs prior to the association request.
If you don't like the host's details you can use the handler to send an association rejection message using event.assoc.acse.send_reject() or abort with event.assoc.abort().
If you're only interested in validating against the AE title you can use the AE.require_calling_aet property to restrict associations to those with matching AE titles.
For the benefit of anyone else looking this up, the correct stage to look this up is in the EVT_REQUESTED event. However you will likely find the details aren't filled in (they are populated AFTER the handler has been called).
So if you want to locate the callers AE in EVT_REQUESTED, you need to locate the A_ASSOCIATE primitive and read them from there. So for example in your handler you can do this to reject remotes:
def handle_request(event):
req_title = event.assoc.requestor.primitive.calling_ae_title.decode('ascii')
if req_title != 'MyAET':
event.assoc.acse.send_reject(0x01, 0x01, 0x03)
return
At least for 1.5.7.
I am wondering if there is a way to pass either a host, fqdn, or IP address to DNSPython and have it perform the proper lookup (forward for hosts and fqdns and reverse for ips). Also, I want to know what kind of address (host, fqdn, or ip) was sent to the method originally.
Thanks in advance
To my knowledge, there's not a single function that will do what you're looking for. However, it wouldn't be too hard to implement. Here's how I'd probably do it.
First, I'd check if the input was an IP address
import ipaddress
def is_ipaddress(string):
try:
ipaddress.ip_address(string)
return True
except ValueError:
return False
If it is an IP address, then I'd call dns.query.reverse_query(). This is assuming I have installed the latest development version of dnspython from Github because reverse_query() was only recently added (see https://github.com/rthalley/dnspython/commit/7c105cce64699e1a221176f98f7cb9e682aba1e0).
If it's not an IP address, then I'd prepare my query with dns.message.make_query(name, rdtype) and then send it with dns.query.udp().
If you wanted to use the value of search in /etc/reolv.conf, you might consider creating a dns.resolver.Resolver, which currently does search processing by default.
import dns.resolver
import dns.rdatatype
resolver = dns.resolver.Resolver()
response = resolver.query('my-computer', dns.rdatatype.A)
I currently have the following DNS Query Alert rule set up in Suricata (for test purposes):
alert dns any any -> any any (msg:”Test dns_query option”; dns_query; content:”google”; nocase; sid:1;)
Which is triggered when it captures DNS events which contain the word "google", such as in this packet:
{"timestamp":"2017-06-08T15:58:59.907085+0000","flow_id":1798294020028434,"in_iface":"ens33","event_type":"dns","src_ip":"172.16.10.132","src_port":53,"dest_ip":"192.168.160.140","dest_port":52385,"proto":"UDP","dns":{"type":"answer","id":57334,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":300,"rdata":"172.217.12.164"}}
However, instead of searching for resource record names that contain "google", I want to use this same kind of alert to trigger on IP addresses that resolve to loopback, as is the case with the following packet (Notice the rdata field):
{"timestamp":"2017-06-08T15:59:37.120927+0000","flow_id":36683121284050,"in_iface":"ens33","event_type":"dns","src_ip":"172.16.10.132","src_port":53,"dest_ip":"192.168.160.140","dest_port":62260,"proto":"UDP","dns":{"type":"answer","id":53553,"rcode":"NOERROR","rrname":"outlook1.us","rrtype":"A","ttl":120,"rdata":"127.0.0.1"}}
As I have noticed, the contentsection of a Suricata rule searches only for a string.
My current rule triggers on a text match with the rrname/domain, how would I make it so that the rule triggers on rdata/IP address?
p.s.
Just out of curiosity I tried replacing the "google" in the content section of my alert with "127.0.0.1" and that didn't work either, as expected.
The ip address is just a 32 bit number. In the rule the IP should be represented as a hex value and not a string, for purposes of efficiency and saving bandwidth (a string will be 8+ bytes as opposed to 4 bytes).
Here is my final Suricata rule to alert whenever somebody gets sent to loopback on my network:
alert dns any any -> any any (msg:"BLACKLISTED DOMAIN"; content:"|7F 00 00 01|"; sid:1;)
I know this might be a dummy question or a question that comes from lack of knowledge, but I hope someone can still answer it. I did try to read a lot of Postfix documentation but found no answer to this. I don't even know if it's a Postfix specific or mail servers general question.
So I have a mail server, just a clean Postfix install that delivers email.
I've defined my users and connected with IMAP and SMTP using Thunderbird.
When I went to Thunderbird account settings and disabled "place a copy", Postfix did not put a copy of the sent message in the user .Sent folder.
However, I've also connected my Gmail, Hotmail or Yahoo mail and disabled the "place a copy" and still have a copy in the sent items folder.
So in this case there are 2 options:
Something is wrong with my Postfix configuration
Gmail, Hotmail, Yahoo put a copy in their sent folder as a different process on the server side
Just for the record, having searched around for a how to, and not finding one, I am posting it here:
The only (easy) way I've found to save sent emails is the sender_bcc solution (with it's attendant faults):
I am using postfix / dovecot / sieve / mysql virtual boxes
In /etc/postfix/main.cf add:
sender_bcc_maps = mysql:/etc/postfix/mysql-virtual-bcc-maps.cf
Create file /etc/postfix/mysql-virtual-bcc-maps.cf:
user = (database user)
password = (database password)
hosts = 127.0.0.1
dbname = (database databasename)
query = SELECT CONCAT_WS('',LEFT('%s', LOCATE('#', '%s')-1),'+sent#',SUBSTRING('%s', LOCATE('#', '%s')+1)) AS destination FROM virtual_users WHERE email='%s' AND autosent=1
You'll note in my query, I've added a (tinyint default 0) column to my virtual_users table so I can turn on/off this automatic sent items feature per user. This query takes the sender email address that postfix gives it, splits it in half at the # sign, and adds +sent to the address so it looks like sender+sent#domain.tld. This allows sieve in the next step to pick it up and drop it straight to sent items.
In /etc/dovecot/sieve/default.sieve add:
require ["fileinto", "mailbox", "envelope", "subaddress","imap4flags"];
if envelope :detail "to" "sent" {
addflag "\\Seen";
fileinto :create "Sent";
stop;
}
Also helpful to modify /etc/dovecot/conf.d/15-mailboxes.conf and add the auto subscribe to sent (and junk and trash and others for that matter):
mailbox Sent {
special_use = \Sent
auto = subscribe
}
I think that is all (I'm posting this the next day after doing it, so I think I got it all...)
Postfix itself does not place copies of sent messages anywhere; it receives messages and delivers them to the recipient. Saving sent messages to your own mailbox is the responsibility of your user agent (Thunderbird, in your case).
It's important to understand that Postfix (and other traditional Unix SMTP servers) don't have a "user" concept. Yes, if so configured it's possible to authenticate by supplying a username and a password, but Postfix doesn't use this identity information.
That said, it's not impossible to configure Postfix to do what you expected – sender_bcc_maps can be used to add a recipient to messages sent by you, and by adding yourself and using a filter in your mail client (or mail delivery agent like procmail) you can make sure that messages sent by you end up in the Sent folder.
I am running a Installation with automatic copies created by sender_bcc_maps. It's working fine. You have to check the sender, otherwise everyone can create sent mails in foreign sent folders.
I have solved it with two virtual domains. One for the user and one for the copy.
But there is a big problem with sender_bcc_maps. All bcc senders will be deleted in the sent copy. You cannot see anymore, who got a blind copy of this mail.
As 'ego2dot0' said above, you don't need any MDA filters (sieve etc.) to do this. It can be done using Postfix alone, although it took me a while to figure out how to do it.
You have to use sender_bcc_maps AND virtual_mailbox_maps features together.
You have to use a virtual domain dedicated specially for copies to self. If your actual domain is "your.domain.tld", you can use eg. subdomain "copyself.your.domain.tld". This subdomain does not have to actually exist, ie. be defined in the DNS (moreover, it's better that it isn't defined, so nobody accidentally sends mail to it from outside). It is a purely virtual domain that is recognized only by Postfix.
1) Configure sender_bcc_maps to BCC mail coming from user#your.domain.tld to user#copyself.your.domain.tld. You can do it for only a few selected users using a regular "hash" type map, or you can do it for all users at once using PCRE type map and regular expressions.
2) You have to define your virtual domain in virtual_mailbox_domains, like this:
virtual_mailbox_domains=copyself.your.domain.tld
3) Configure virtual_mailbox_maps so that the destination mailbox for address "user#copyself.your.domain.tld" is the actual "Sent" mailbox of the user "user". For example (assumed that you are using regular system users and Maildir format - like in my case) the path to "Sent" mailbox for user "user" will be "/home/user/Maildir/.Sent". So, you can define common part of the path as virtual_mailbox_base, eg.
virtual_mailbox_base=/home
and then in the virtual mailbox map enter the rest of the path like this:
user#copyself.your.domain.tld user/Maildir/.Sent/
(the trailing / is important to indicate the Maildir format).
Again, you can use PCRE type map to do this for all users.
4) To properly save mail to the mailbox, Postfix need to also know the proper UID and GID for the particular user, so you have to use virtual_uid_maps and virtual_gid_maps parameters as well. If you are using virtual users, it's probably enough to define "static" type maps specifying a single UID and GID of the system user that owns all the virtual mailboxes. However, if you are using system users like me, you need the proper actual UID and GID for any user. If you have only a few users, you can use a regular "hash" type map, with entries like these:
user#copyself.your.domain.tld 2001
or you can try to setup a pipeline with "pipemap" map type, that uses some PCRE maps and "unix:passwd.byname" map to obtain the UIDs and GIDs for all users (I haven't done this part, as my Postfix installation is compiled without "pipemap" type support).
So to sum everything up, use something like this:
In /etc/postfix/main.cf file, add the following lines:
sender_bcc_maps=hash:/etc/postfix/sender_bcc
virtual_mailbox_domains=copyself.your.domain.tld
virtual_mailbox_base=/home
virtual_mailbox_maps=hash:/etc/postfix/copyself
virtual_uid_maps=hash:/etc/postfix/copyself_uids
virtual_gid_maps=hash:/etc/postfix/copyself_gids
/etc/postfix/sender_bcc contains a bunch of lines like:
user#your.domain.tld user#copyself.your.domain.tld
/etc/postfix/copyself contains - respectively - lines like:
user#copyself.your.domain.tld user/Maildir/.Sent/
/etc/postfix/copyself_uids and /etc/postfix/copyself_gids contain - respectively - lines like:
user#copyself.your.domain.tld 2001
I have done this on my server and it works great for me.
i want to request for an opt resource record message to dns server bind 9.
but i don't know the format and the server configration.
http://www.ietf.org/rfc/rfc2671.txt this doc is the edns doc.
i create the message formatted following the doc,but it doesn't work. server tell me format error.
the req message:
Question Record:
QName:a6.debian.com
QType:0x41(OPT type)
QClass:0x01(Internet)
Additional Record:
Resource Name:0xc0,0x0c( pointer to QName)
Resource Type:0x41
ResourceClass:512(udp payload size)
TimeToLive:0x1EF0000(split to extent-code version and Z)
ResourceDataLength:0x08
Rdata:(OPTRdata):
OptCode:0x4000
OptLength:0x04
OptData:0x0A,0x0A,0x0A,0x0A
What's wrong???Could you help me?
There's no OPT type record. OPT is pseudo-record type. You can not query for it. You use OPT to pass some specific parameters to DNS server, like EDNS. Besides it can appear in "ADDITIONAL" section only