Bash Scripts for cbpolicyd: Difference between revisions

No edit summary
 
(18 intermediate revisions by 3 users not shown)
Line 1: Line 1:
===Introduction===
{{BC|Zeta Alliance}}                        <!-- Note, this will also add [[Category: Zeta Alliance]] to bottom of wiki page. -->
__FORCETOC__                              <!-- Will force a TOC regards of size of article. __NOTOC__  if no TOC is wanted. -->
<div class="col-md-12 ibox-content">
=Bash Scripts for CBPolicyD=             <!-- Normally will reflect page title. Is listed at very top of page. -->
{{KB|{{ZETA}}|{{ZCS 10.0}}|{{ZCS 9.0}}|{{ZCS 8.8}}|}}            <!-- Can only handle 3 ZCS versions. -->
{{WIP}}                                                <!-- For pages that are "work in progress". -->


You can do many things using policies, but not all.
==Introduction==


Here you can find some bash examples, a bare starting point to implement new functionalities.
Automated cbpolicd installer for single-server. Tested on Zimbra 8.8.15 p7 CentOS7, Zimbra 9.0.0 p29 CentOS 7, Zimbra 9.0.0 patch 29 on Ubuntu 20, Zimbra 10 on Ubuntu 20.


===How to query sqlite===
* Installs policyd on MariaDB or MySQL (shipped with Zimbra) and show commands on how to activate on Zimbra
* No webui is installed


Basically, you can
You can download the script from here and run it as root:


https://raw.githubusercontent.com/Zimbra-Community/zimbra-tools/master/cbpolicyd.sh


echo "query string;"  | sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb
You can use mysqldump to make backups of your policyd database. It is recommended you keep a copy of the cbpolicyd.sh up-to-date with your custom policies and rules so that you can easily re-install policyd on Zimbra upgrades or in disaster recovery situations. You can also install policyd on a separate MariaDB server that way you can have multiple Zimbra MTA nodes talk to the same policyd database.




where "query string" is an sql statement you have tested on sql interactive cli


sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb
[[Category:Policyd]]
 
[[Category:Anti-spam]]
===Trapping abused sasl users===
[[Category:ZCS 10.0]]
 
[[Category:ZCS 9.0]]
I was interested in trap sasl senders, when sasl credentials are abused and you have many connections per second each coming from a different ip.
[[Category:ZCS 8.8]]
 
[[Category: Zeta Alliance]]
The table to use is session_tracking.
 
To search for sasl username and orininating ip, you can isse:
 
 
echo "select distinct  SASLUsername, ClientAddress from session_tracking;" | sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb | more
 
 
If you want restrict it to last 10 minutes:
 
 
echo "select distinct  SASLUsername, ClientAddress from session_tracking where ( (strftime('%s','now') - UnixTimestamp) < 600) | sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb | more
 
 
 
You have to filter out all connections coming from mtas that can send to your server w/out authentication:
 
 
select distinct  SASLUsername, ClientAddress from session_tracking where ( (strftime('%s','now') - UnixTimestamp) < 3600) and (ClientAddress != '1.2.3.4') and (ClientAddress != '4.3.2.1') ;
 
 
 
===The script===
 
This is the complete bash script example:
 
#! /bin/bash
rm -f /tmp/temp
echo "select distinct  SASLUsername, ClientAddress
from session_tracking
where ( (strftime('%s','now') - UnixTimestamp) < 600)
and (ClientAddress != 'a.b.c.d') and (ClientAddress != '1.2.3.4') ;" | sqlite3 /opt/zimbra/data/cbpolicyd /db/cbpolicyd.sqlitedb | cut -f 1 -d '|' \
            | sort | uniq -c | awk '{ if( $1 > 5 ) print $2 " has sent from: " $1 " uniq ip " }'  > /tmp/temp
[ -s /tmp/temp ] && cat /tmp/temp  |  mail -s "alarm: botnet attack botnet in act" alarm@yourdomain
[ -s /tmp/temp ] && user=`cat /tmp/temp |  awk '{ print $1 }'` && su - zimbra -c "zmprov sp $user changeme"

Latest revision as of 10:14, 18 January 2023

Bash Scripts for CBPolicyD

   KB 20646        Last updated on 2023-01-18  




0.00
(0 votes)
24px ‎  - This is Zeta Alliance Certified Documentation. The content has been tested by the Community.


Introduction

Automated cbpolicd installer for single-server. Tested on Zimbra 8.8.15 p7 CentOS7, Zimbra 9.0.0 p29 CentOS 7, Zimbra 9.0.0 patch 29 on Ubuntu 20, Zimbra 10 on Ubuntu 20.

  • Installs policyd on MariaDB or MySQL (shipped with Zimbra) and show commands on how to activate on Zimbra
  • No webui is installed

You can download the script from here and run it as root:

https://raw.githubusercontent.com/Zimbra-Community/zimbra-tools/master/cbpolicyd.sh

You can use mysqldump to make backups of your policyd database. It is recommended you keep a copy of the cbpolicyd.sh up-to-date with your custom policies and rules so that you can easily re-install policyd on Zimbra upgrades or in disaster recovery situations. You can also install policyd on a separate MariaDB server that way you can have multiple Zimbra MTA nodes talk to the same policyd database.

Jump to: navigation, search