@r3dpand4 I apologize if my OP wasn't clear. I'm looking to match based on a pattern in the E-mail attribute of an account. Not matching based on username. Basically, if the email address in the E-mail attribute field is a specific domain (*@domain.org as an example), I want to add the users to a specific security group. If that changes in the future (we have instances where users float between organizations), I want to remove them from the group.
Posts made by anthonyh
-
RE: Active Directory - Scripting the adding/removal of users to group
-
Active Directory - Scripting the adding/removal of users to group
Hey All,
I would like to write a script to dynamically handle adding/removing users to a security group in Active Directory.
Basically, if a user's E-mail attribute matches a certain pattern (*@domain.org), I want to add them as a member of a group (Group X). If it doesn't match, I want to remove them from the group if they are a member.
So I'm thinking the script (or possibly two separate scripts) would need to work as follows:
Grab a list of current members of the group. Check each member for pattern that makes them eligible for said group. If no match, remove them from the group.
Grab a list of users that aren't a member of the group. Check each user for pattern that makes them eligible for said group. If matched, add them to the group.
I haven't had the privilege of scripting anything related to Active Directory. I'm assuming PowerShell will be the way to go. However, I'm still learning/researching beyond that. Any tips/tricks/suggestions would be greatly appreciated.
Thanks!
EDIT: A link to what I've come up with: https://pastebin.com/0JvUrzQU
-
RE: Malicious Logins To Zimbra Mail Server
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
@anthonyh said in Malicious Logins To Zimbra Mail Server:
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
@storageninja said in Malicious Logins To Zimbra Mail Server:
I've seen a single VM handle 5000 users just fine (With Exchange). For Zimbra I can't imagine what the point of separating them out is unless it has functionality similar to DAG.
Right, many thousands of users from a single VM would make sense. Just give it more cores and more RAM until it can handle what is needed. Splitting out to another VM would only be useful if you are also adding more physical resources between the two as well, like one is on one server and one is on another and each have dedicated CPUs. Otherwise, the network connection between them just presents an extra, and unnecessary, bottleneck.
In my specific case, I have a cluster of hosts I could potentially spread the multi-server deployment across.
Still is only beneficial if the bottlenecks you have are addressed from doing so. Are you unable to give enough CPU or RAM from a single VM to meet the needs of the system? That's the only case that more VMs would be beneficial. Spreading out amongst physical hosts just creates network bottlenecks and OS overhead, otherwise.
Understood.
-
RE: Malicious Logins To Zimbra Mail Server
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
@storageninja said in Malicious Logins To Zimbra Mail Server:
I've seen a single VM handle 5000 users just fine (With Exchange). For Zimbra I can't imagine what the point of separating them out is unless it has functionality similar to DAG.
Right, many thousands of users from a single VM would make sense. Just give it more cores and more RAM until it can handle what is needed. Splitting out to another VM would only be useful if you are also adding more physical resources between the two as well, like one is on one server and one is on another and each have dedicated CPUs. Otherwise, the network connection between them just presents an extra, and unnecessary, bottleneck.
In my specific case, I have a cluster of hosts I could potentially spread the multi-server deployment across.
-
RE: Fitness and Weightloss
@tim_g said in Fitness and Weightloss:
@anthonyh said in Fitness and Weightloss:
@tim_g In all honesty I just need to track where I've left off. Sometimes I honestly can't remember and I'll get on a machine and feel like I've put on too much weight. I don't know if I am truly over weight from my last visit, or if I'm being lazy.
If I know where I left off, I'll know that I'm at minimum not regressing...if that makes sense. So all I really need I guess is something to track the exercise, weight (or whatever important metric the exercise entails), and date. Perhaps a Google Sheet is all I really need...but not sure how easy manipulating that on my phone would be.
When I did it, I used one from bodybulding.com taht I bought. I'll see if I can find it. That's your best bet. Using an app on your phone will take too long. Pen and paper is the best way to go imho.
I'll update this reply when i find it.
Edit: This is what I used: https://www.bodybuilding.com/store/bodybuildingcom-accessories/fitness-log.html
Looks a little different from when I had it, but same stuff. This looks a little better too.
Ooo. That's not bad.
I ended up picking up one of the sheets that my gym provides and am using that. The only annoyance is juggling the sheet, a pen, my water, and my phone. lol
I think what I may end up doing is logging everything initially on paper and then putting it into a Google Sheet or something later on. I do want to track my progress. I like seeing the numbers go in the right direction.
-
RE: Malicious Logins To Zimbra Mail Server
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
@anthonyh said in Malicious Logins To Zimbra Mail Server:
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
@storageninja said in Malicious Logins To Zimbra Mail Server:
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
Correct, MTA is always on 25 unless you have an agreement with someone. Then it could be anything.
I'm a bigger fan of having an external service or device (that can mailbag) do your filtering, and then you only accept SMTP with TLS from that service (So your firewall rules don't allow port 25 from the world to the actually mail back end).
Yup, agreed. You never really want to be accept email directly yourself (on your email server, at least.)
What about doing a Zimbra multi-server install and installing the MTA on one VM and the rest of the services on another VM?
Not a bad idea, but doesn't provide you with enterprise mailbagging. It would in no way eliminate the best practice of having an HA hosted mailbagging system.
Right. After I replied I realized what you meant by not accepting mail directly yourself....ha.
I have been considering diving into a multi-server deployment at some point. I've been considering putting the mailbox service on it's own hosts for performance reasons, but maybe instead I can organize services by publicly facing/not publicly facing and do two VMs that way.
In no way does this help in the scenario of the OP, though.
-
RE: Malicious Logins To Zimbra Mail Server
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
@storageninja said in Malicious Logins To Zimbra Mail Server:
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
Correct, MTA is always on 25 unless you have an agreement with someone. Then it could be anything.
I'm a bigger fan of having an external service or device (that can mailbag) do your filtering, and then you only accept SMTP with TLS from that service (So your firewall rules don't allow port 25 from the world to the actually mail back end).
Yup, agreed. You never really want to be accept email directly yourself (on your email server, at least.)
What about doing a Zimbra multi-server install and installing the MTA on one VM and the rest of the services on another VM?
-
RE: Malicious Logins To Zimbra Mail Server
@storageninja said in Malicious Logins To Zimbra Mail Server:
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
Correct, MTA is always on 25 unless you have an agreement with someone. Then it could be anything.
I'm a bigger fan of having an external service or device (that can mailbag) do your filtering, and then you only accept SMTP with TLS from that service (So your firewall rules don't allow port 25 from the world to the actually mail back end).
Hmm. Something to think about I suppose. Though I want to make sure I balance security vs complexity.
-
RE: Malicious Logins To Zimbra Mail Server
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
@anthonyh said in Malicious Logins To Zimbra Mail Server:
@dafyre said in Malicious Logins To Zimbra Mail Server:
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
@anthonyh said in Malicious Logins To Zimbra Mail Server:
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
@dafyre said in Malicious Logins To Zimbra Mail Server:
I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.
Does that solve anything? Same issues.
One less attack vector I suppose. They could still hammer the web interface.
Any unused protocol should be shut down, certainly. But it's that they are unused, not that they are what they are.
I fully agree with this. Shut down and blocked at the site's Firewall.
Done and done. POP3 was disabled eons ago. IMAP/IMAPS officially is no longer available externally. Only the following ports are allowed inbound from the outside:
25
443
465
587Although, do I need 465/587? All MTA to MTA should be through 25, right?
Correct, MTA is always on 25 unless you have an agreement with someone. Then it could be anything.
Ok. Now the only ports open inbound from the outside are 25 and 443.
-
RE: Malicious Logins To Zimbra Mail Server
@dafyre said in Malicious Logins To Zimbra Mail Server:
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
@anthonyh said in Malicious Logins To Zimbra Mail Server:
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
@dafyre said in Malicious Logins To Zimbra Mail Server:
I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.
Does that solve anything? Same issues.
One less attack vector I suppose. They could still hammer the web interface.
Any unused protocol should be shut down, certainly. But it's that they are unused, not that they are what they are.
I fully agree with this. Shut down and blocked at the site's Firewall.
Done and done. POP3 was disabled eons ago. IMAP/IMAPS officially is no longer available externally. Only the following ports are allowed inbound from the outside:
25
443
465
587Although, do I need 465/587? All MTA to MTA should be through 25, right?
-
RE: Malicious Logins To Zimbra Mail Server
@dafyre said in Malicious Logins To Zimbra Mail Server:
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
@dafyre said in Malicious Logins To Zimbra Mail Server:
I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.
Does that solve anything? Same issues.
...(how long does it take them to switch from IMAP/POP to ActiveSync?).
I will be able to tell you soon.
-
RE: Malicious Logins To Zimbra Mail Server
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
@dafyre said in Malicious Logins To Zimbra Mail Server:
I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.
Does that solve anything? Same issues.
One less attack vector I suppose. They could still hammer the web interface.
-
RE: Malicious Logins To Zimbra Mail Server
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
@anthonyh said in Malicious Logins To Zimbra Mail Server:
@coliver said in Malicious Logins To Zimbra Mail Server:
Why wouldn't you use Fail2Ban? This seems like this is exactly what that system was designed to do.
Yes, but the way these attempts are formed it would take days for an IP to even be considered to be blocked. Our users fat-finger their passwords much quicker than that :-D, so I think it would block our users more than the bad guy. I would need to set the failed time frame to like a week in order for it to be useful.
Is this attack over SSH or IMAP or web?
Appears to be IMAP (which will be blocked publicly shortly). We do not have SSH open publicly.
-
RE: Malicious Logins To Zimbra Mail Server
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
@coliver said in Malicious Logins To Zimbra Mail Server:
Why wouldn't you use Fail2Ban? This seems like this is exactly what that system was designed to do.
I agree, we always use that.
Well, I wasn't saying not to use it. I was saying that I don't think it would be effective in this scenario.
-
RE: Malicious Logins To Zimbra Mail Server
@storageninja said in Malicious Logins To Zimbra Mail Server:
Lastly, who still uses Zimbra? We used to own it, but now just use O365 (and have Microsoft's billion dollars of security spending and IDS in front of it).
Obviously you have no need to be in this thread, then. I'm looking for suggestions on mitigating my existing services from the current threat. Not, "who uses this crap these days?"
-
RE: Malicious Logins To Zimbra Mail Server
If you're curious, here is a sample of the login failures via /opt/zimbra/log/audit.log
I also added this to the original post.
-
RE: Malicious Logins To Zimbra Mail Server
As I'm working through redacting stuff from this log sample, I'm noticing that most of the auths are coming via IMAP. I'm wondering if I can just disable IMAP externally (block the port at my firewall. Anyone who uses mail outside of our network connects via Exchange (we have Zimbra licensing) or the web interface. At least that's how they should be connecting at any rate. I'll have to talk to my boss. Hmm...
-
RE: Malicious Logins To Zimbra Mail Server
I'm working on posting a sample from the audit log so you can see what I'm talking about.
-
RE: Malicious Logins To Zimbra Mail Server
@coliver said in Malicious Logins To Zimbra Mail Server:
Why wouldn't you use Fail2Ban? This seems like this is exactly what that system was designed to do.
Yes, but the way these attempts are formed it would take days for an IP to even be considered to be blocked. Our users fat-finger their passwords much quicker than that :-D, so I think it would block our users more than the bad guy. I would need to set the failed time frame to like a week in order for it to be useful.
-
RE: Malicious Logins To Zimbra Mail Server
@dustinb3403 Definitely not full 2FA (we're talking ~400 users), but possibly something like a captcha (not foolproof I know).
I just want to implement something to further hinder these folks for now.