If you disable an AD user, his email still works on the exchange server. To notify the sender we usually create a mail flow rule in ECP like this
I found no settings in Exchange to disallow disabled AD users to receive emails. On the other hand rooms and shared mailboxes (and some other kind of users) are also disabled AD users but that is intended to be so. It happened that I mistakenly deleted some of those in the past 😉
A solution would be to create a distribution group, populate with disabled AD users and create a rule to reject those email.
I wanted to use a group where I already had all disabled users but I couldn’t see all the members in it as exchange ignores the users primary group. Here is good explanation which confirmed my suspicions.
I created a group named “DisabledUsers” and this script which runs daily to populate its members Here is the script.
The values for msExchRecipientDisplayType can be found here
While testing I added the value 10 which is some kind of system user and not on the list but I didn’t dig deeper. With those filters I get all the users I need and add them to the group.
Here is the new rule
A good thing to do is also to disable NDR diagnostics info as it can reveal a bit too much info about your setup which is a potential security risk.
Since I began using OpenVas I try to keep the network clean of any vulnerabilities. The report showed that were some vulnerabilities on SysAid server which is using Apache Tomcat. I Realized that the last version of SysAid is already installed but the embedded Tomcat is not updated.
This is the report for this host.
When you check SysAid and go to about you see that it is using Tomcat 9.0.71 which is not up to date.
After searching around a bit I was unable to find a solution how to secure SysAid or/and update Tomcat version. I did however read the latest patch notes from SysAid and they did update their embedded Tomcat version but it is still not the latest one.
I found out that it is actually quite easy to update Tomcat by yourself. This procedure probably works for the majority of services that use it.
First you go to Tomcat website and download the 32bit windows zipped version.
You extract it somewhere.
Go to your SysAid installation folder and make a copy of the tomcat folder. Better safe than sorry.
After that you open your copied folder and replaced all the files in bin and lib folder (this was a bit guessing but it works) with the extracted version.
Now stop the Sysaid service, rename the original tomcat folder to tomcat-old, the tomcat -new folder to tomcat and run the service again.
Now SysAid is running the latest Tomcat version and all the vulnerabilities are gone.
I started playing around a bit with vulnerability scanners. Lots of people like to use Nessus but it is not cheap just to play around. But there exists a open version as Nessus was open source unstil version 3. The solution is called OpenVas. The OS used was Ubuntu 22.4. The installation guide for the community version is written perfectly and the installation went smooth.
The only thing I changed was this line which enabled me to connect remotely to the ui from any ip. Which was not a trivial task as all the information on the internet for OpenVas was for the old non docker deployment type where you could easily edit the config but docker is a bit different. After some research this is how I enabled OpenVas to allow remote connections.
'Weak' cipher suites accepted by this service via the TLSv1.2 protocol:
TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHA
I made some manual tests with sslscan which is a nice tool to check the ciphers. I lost the first few screenshots (tnx wordpress) I made but here is an example of sslscan before the applied changes.
This example however does not show the DES-CBC3-SHA cipher.
How ciphers work for windows is explained here and also what kind of registry entries you need and found some examples here on this blog.
I chose to add a few more registry entries to disable a few more older ciphers
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168] "Enabled"=dword:00000000
The last key disables the DES-CBC3-SHA (TLS_RSA_WITH_3DES_EDE_CBC_SHA) cipher When you apply this registry the changes are instant. You can check that with sslscan
edit:
A few days later I noticed that OpenVas does not update its feeds. The feed status page should look like this but it said it is “Too old (xx days) Please check the automatic synchronization of your system”
On this forum post here it was explained how to update OpenVas feed manually.
I saved the script to update.sh and placed it my home folder. Now it is only needed to run the script every now and then. The most simple way is is to use “crontab -e” and add the following line which runs it every day.
Just after new year some emails were getting rejected by our side because they were found on a blacklist. I checked the ip addresses but they were not on the list.
550 5.7.107 Your message was rejected because the IP address of the sending server x.x.x.x is blacklisted
This was blocked by surriels block list (also sorbs and spamhaus) . I checked the entry on https://psbl.org/ but the ip was not there.
I ran Test-IPBlockListProvider on the edge server to check if it was there. It was.
Now we can see that it gets the “ProviderResults” from the Non-authoritative answer.
I found this article that explains what king of answers you should get from nslookup on sorbs. After a bit more reasearch I found this configuration example for spamhaus. I was bit different than the add-IPBlockListProvider that I used to configure the block lists in the past. But it made sense. I changed the settings for sorbs based on the documentation how sorbs replies should look like. I added all replies that it sends (you can add any zone and it should work, I am using safe.dnsbl.sorbs.net).
The settings for spamhaus (zen.spamhaus.org) are like those on the spamhaus example page.
Set-IPBlockListProvider -Name 'Spamhaus ZEN' -LookupDomain 'zen.spamhaus.org' -Enabled $true -BitmaskMatch $null -IPAddressesMatch '127.0.0.2','127.0.0.3','127.0.0.4','127.0.0.9','127.0.0.10','127.0.0.11' -Priority '1' -AnyMatch $false -RejectionResponse 'Connecting IP address {0} has been blocked by Spamhaus ZEN. See http://www.spamhaus.org/query/bl?ip={0} for further details.'
Basically I just copied the command and changed the ass to set command as I already had it there.
This are the settings for spamcop (bl.spamcop.net) based on the info here.
The most funny thing is that the settings that were used until now worked for many years. In all the “How to setup exchange edge spam” all the commands looked like this… and it worked…. Could be some dns change.
Add-IPBlockListProvider -Name Surriel -LookupDomain psbl.surriel.org -AnyMatch $True -Enabled $True -RejectionResponse “Your IP is on the psbl.org block list“
On a cleanly installed and fully patched server 2012r2 I was unable to install .net framework. I tried everything from enabling it from the gui, via dism and via powershell. Nothing worked.
Install-windowsfeature
PS C:\Users\Administrator> Install-WindowsFeature -name Net-framework-core
Install-WindowsFeature : The request to add or remove features on the specified server failed.
Installation of one or more roles, role services, or features failed.
The source files could not be downloaded.
Use the "source" option to specify the location of the files that are required to restore the feature. For more informa
tion on specifying a source location, see http://go.microsoft.com/fwlink/?LinkId=243077. Error: 0x800f0906
At line:1 char:1
+ Install-WindowsFeature -name Net-framework-core
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (@{Vhd=; Credent...Name=localhost}:PSObject) [Install-WindowsFeature],
Exception
+ FullyQualifiedErrorId : DISMAPI_Error__Cbs_Download_Failure,Microsoft.Windows.ServerManager.Commands.AddWindowsF
eatureCommand
Success Restart Needed Exit Code Feature Result
------- -------------- --------- --------------
False No Failed {}
dism
The operation completed successfully.
PS C:\Users\Administrator> Dism /online /enable-feature /featurename:NetFx3 /All /Source:D:\sources\sxs /LimitAccess
Deployment Image Servicing and Management tool
Version: 6.3.9600.19408
Image Version: 6.3.9600.19397
Enabling feature(s)
[===========================66.3%====== ]
Error: 0x800f081f
The source files could not be found.
Use the "Source" option to specify the location of the files that are required to restore the feature. For more informa
ion on specifying a source location, see http://go.microsoft.com/fwlink/?LinkId=243077.
The DISM log file can be found at C:\Windows\Logs\DISM\dism.log
I tried quite a few options that were suggested on the internet which included removing some patches to running dism restore health. KB3005628 suggest removing KB2955827 or KB2955827… there were also some other KB that people removed and you were able to install the framework after that. OK I had none of them installed.
In C:\Windows\Logs\CBS\cbs.log there were some unclear errors..
2023-11-10 10:35:44, Info CBS Exec: Staging Package: Microsoft-Windows-NetFx3-Server-OC-Package~31bf3856ad364e35~amd64~~6.3.9600.16384, Update: NetFx3
2023-11-10 10:35:44, Info CBS Exec: Staging Package: Microsoft-Windows-NetFx3-Server-OC-Package~31bf3856ad364e35~amd64~~6.3.9600.16384, Update: NetFx3, MarkDeploymentStaged: amd64_microsoft-windows-netfx3-deployment_31bf3856ad364e35_6.3.9600.16384_none_cbc54c5cc9340cf2
2023-11-10 10:35:44, Info CBS Exec: Staging Package: Microsoft-Windows-Presentation-Package~31bf3856ad364e35~amd64~~6.3.9600.16384, Update: Microsoft-Windows-Presentation-Package
2023-11-10 10:35:44, Info CBS Exec: Staging Package: Microsoft-Windows-Presentation-Package~31bf3856ad364e35~amd64~~6.3.9600.16384, Update: Microsoft-Windows-Presentation-Package, MarkDeploymentStaged: amd64_wpf-deployment_31bf3856ad364e35_6.3.9600.16384_none_86af46c9a5682dde
2023-11-10 10:35:44, Info CBS Exec: Staging Package: Microsoft-Windows-NetFx2-OC-Package~31bf3856ad364e35~amd64~~6.3.9600.16384, Update: NetFx2
2023-11-10 10:35:44, Info CBS Exec: Staging Package: Microsoft-Windows-NetFx2-OC-Package~31bf3856ad364e35~amd64~~6.3.9600.16384, Update: NetFx2, MarkDeploymentStaged: amd64_microsoft-windows-netfx2-deployment_31bf3856ad364e35_6.3.9600.16384_none_03967f182a68b3d1
2023-11-10 10:35:44, Info CBS Exec: Staging Package: Microsoft-Windows-NetFx3-Server-OC-Package~31bf3856ad364e35~amd64~en-US~6.3.9600.16384, Update: NetFx3
2023-11-10 10:35:44, Info CBS Exec: Staging Package: Microsoft-Windows-NetFx3-Server-OC-Package~31bf3856ad364e35~amd64~en-US~6.3.9600.16384, Update: NetFx3, MarkDeploymentStaged: amd64_microsoft-windows-n..oyment-languagepack_31bf3856ad364e35_6.3.9600.16384_en-us_9d44cc795fe16528
2023-11-10 10:35:44, Info CBS Exec: Staging Package: Microsoft-Windows-Presentation-Package~31bf3856ad364e35~amd64~en-US~6.3.9600.16384, Update: Microsoft-Windows-Presentation-Package
2023-11-10 10:35:44, Info CBS Exec: Staging Package: Microsoft-Windows-Presentation-Package~31bf3856ad364e35~amd64~en-US~6.3.9600.16384, Update: Microsoft-Windows-Presentation-Package, MarkDeploymentStaged: amd64_wpf-deployment-languagepack_31bf3856ad364e35_6.3.9600.16384_en-us_692f3de7898e13f4
2023-11-10 10:35:44, Info CBS Exec: Staging Package: Package_1_for_KB5029915~31bf3856ad364e35~amd64~~6.3.1.1, Update: 5029915-1_neutral
2023-11-10 10:35:44, Info CBS Exec: Staging Package: Package_1_for_KB5029915~31bf3856ad364e35~amd64~~6.3.1.1, Update: 5029915-1_neutral, MarkDeploymentStaged: amd64_6d6a05250ca5fed440279d1d8e0f6b44_31bf3856ad364e35_6.3.9600.21550_none_5d179bb6ca190bf7
2023-11-10 10:35:44, Info CBS Exec: Staging Package: Package_1_for_KB5029915~31bf3856ad364e35~amd64~~6.3.1.1, Update: 5029915-2_neutral
Well the update KB5029915 looked suspicious… I removed it with wusa /uninstall /kb:5029915
ran Dism /online /enable-feature /featurename:NetFx3 /All /Source:D:\sources\sxs /LimitAccess
and .net 3.5 installed 🙂
It is quite funny that October 10, 2023-Security and Quality Rollup for .NET Framework 3.5 for Windows Server 2012 R2 (KB5029915) is braking installation of .net framework 3.5. There is also the possibility that some previous and some future rollups will or have broken this.
Urbackup stopped working. Ok no problem, restart it. Doesn’t work… ok…
I noticed that the database was corrupt. I ssh-ed to the synology and did some digging. The executable on this system is installed in “/volume1/@appstore/urbackup/bin/”. On the Urbackup forum they say to run the “repair-database” command.
So I ran:
ash-4.3# /volume1/@appstore/urbackup/bin/urbackupsrv repair-database -u root
2023-11-03 12:08:03: SQLite: recovered 1817 frames from WAL file /volume1/@appstore/urbackup/var/urbackup/backup_server.db-wal code: 283
2023-11-03 12:08:04: SQLite: recovered 190876 frames from WAL file /volume1/@appstore/urbackup/var/urbackup/backup_server_files.db-wal code: 283
2023-11-03 12:08:04: SQLite: recovered 10698 frames from WAL file /volume1/@appstore/urbackup/var/urbackup/backup_server_link_journal.db-wal code: 283
2023-11-03 12:08:04: SQLite: recovered 88728 frames from WAL file /volume1/@appstore/urbackup/var/urbackup/backup_server_links.db-wal code: 283
2023-11-03 12:08:04: SQLite: recovered 140 frames from WAL file /volume1/@appstore/urbackup/var/urbackup/backup_server_settings.db-wal code: 283
2023-11-03 12:08:04: SQLite: recovered 1817 frames from WAL file /volume1/@appstore/urbackup/var/urbackup/backup_server.db-wal code: 283
2023-11-03 12:08:04: Recovering contents of database with id 20...
2023-11-03 12:08:57: SQLite: recovered 140 frames from WAL file /volume1/@appstore/urbackup/var/urbackup/backup_server_settings.db-wal code: 283
2023-11-03 12:08:57: Recovering contents of database with id 30...
2023-11-03 12:08:57: SQLite: recovered 190876 frames from WAL file /volume1/@appstore/urbackup/var/urbackup/backup_server_files.db-wal code: 283
2023-11-03 12:08:57: Recovering contents of database with id 23...
2023-11-03 12:10:30: WARNING: SQLite: database corruption at line 56972 of [3bfa9cc97d] errorcode: 11
ok it looks like it is repairing the database… but after a while this error pops up
SQL error: database or disk is full
Check the disk space on the volumes with “df -H” command and everything looked good
So I ran the repair command again… but this time there were some other errors and had to delete the exported data first
After deleting those 3 files the repair ran again. I ssh-ed into another session and monitored the disk usage with “df -H”. I noticed that the system root mount point / was getting filled up. When it reached 100% used space urbackup repair failed.
Wanted to check the disk usage but synology was missing the iotop tool. The solution was simply install the “Diagnosis Tool” as stated on redit and on Fabian’s blog
sudo synogear install
iotop --only
You can’t see it in this picture but there was a tiny disk write amount from urbackupsrv so it had to be this what was filling up the disk. So let us look the file usage results for urbackupsrv
lsof -c urbackupsrv
Hmmm now we have found the problematic file…. it was written in /var/tmp/ and this is mounted on /. This file was visible only here. The internet told me that the “etilqs” files are temp files from sqlite3. So now need to change the temp directory for sqlite3. I achieved this by creating the following global variables. It is stated that one of those should work but used all 3 just to be sure. I chose the /tmp folder as this mount point has more storage space.
Now had to kill the process again (had to use kill -9), delete the sql export files again and run it again. Now the temp files are stored where there is more space and the repair can do its job.
Here we can see that the tmp folder has changed.
While researching this problem this post mentions that the corruption happens if you use symbolic links for your database. I used a symbolic link to point to the database as the data was moved to a ssd drive on a different volume for reasons of speed. It is also mentioned that mount –bind should solve the problem. The only way I managed to do that that is reboot persistent was with a startup script in “Task Scheduler”
And this is the lengthy script used to run urbackup on boot.
The ulimit commands are there to increase the max open files limit. Had them there for quite a while. The rest is quite self-explanatory
Here is the script I use to check if sometimes urbackup crashes to restart it again
if pgrep -x urbackupsrv > /dev/null
then
echo "Running"
else
echo "Stopped"
sysctl -w fs.file-max=65535
ulimit -a
sysctl -p
ulimit -Hn 65535
ulimit -n 65535
ulimit -He 50
ulimit -e 50
ulimit -SHn 65535
ulimit -SHe 50
ulimit -a
echo "Executing proces"
/volume1/@appstore/urbackup/bin/urbackupsrv run -d -v error -u sc-urbackup --pidfile /volume1/@appstore/urbackup/var/urbackup.pid --logfile /volume1/@appstore/urbackup/var/urbackupJOB.log
fi
UPDATE:
I realised that no new successful backups since the database restore. The log showed
ERROR
Error creating new backup row in database
The problem was that running the repair with root resulted the new databases to be read-only for the urbackup user and owned by root. “Chmod” changed that quickly. So in hindsight it might have been better to run the repair with sc-urbackup user but that could result in some other permission issue. Doesn’t matter I just wanted to share this 😉
Recently there has been an influx of new scam email from fake domain that are similar to the real ones. An example would be an email from the sender “info@hbsc.com”. At first glance the domain seems ok as it is easy to overlook some typos 🙂 Well after digging a bit deeper we found out that all the spam comes from newly registered domain. The solution to this is the Spam Eating Monkey.
The service checks if the domain is newly registered any based on that information you can block it. It is very easy to add it to your SpamAssassin installation. Go to the service site. I chose the 30 days SEM-FRESH service.
To install it create a new cf file for example sem.cf in your config folder (C:\Program Files (x86)\SpamAssassin\etc\spamassassin\)
# SEM-FRESH30
urirhssub SEM_FRESH30 fresh30.spameatingmonkey.net. A 2
body SEM_FRESH30 eval:check_uridnsbl('SEM_FRESH30')
describe SEM_FRESH30 Contains a domain registered less than 30 days ago
tflags SEM_FRESH30 net
score SEM_FRESH30 5
Check if everything works with the command :
spamassassin –lint
Restart spammassain service and you have your “Domain registration date checker” active.
There was this device which was password protected. A 4 digit numerical pin that none knew. As this was a black box with only a usb input the only way to get the pin was brute force. Luckily there was no timeout if you entered the wrong pin it just popped the login window back.
After wiring everything on a protoboard ( haven’t had any zener diodes so I used some red led) and running the sample code the computer detected the keyboard and it received some input. For testing I used some cheap usb hub (If something goes wrong so that I don’t destroy my usb ports only the hub)
I struggled a bit with getting the code to send me the correct output. Not sure why but I had to do this in the code for every number. Could not use the variable “element” on the output function even thou it had a value for example ‘0’ the output was different. So this was my solution… yes I know silly… but it works…
if (element == ‘0’){ mKeyboard.sendKey(mKeyboard.asciiToKeycode(‘0’)); } if (element == ‘1’){ mKeyboard.sendKey(mKeyboard.asciiToKeycode(‘1’)); }……..
The written code starts counting typing 9999 and pressing return. It waits 1 sec and types 9998 and enter… and so on.. till 1000 ( but that was fine with me as the pin could not start with a 0)
The preferred way for me to install software on domain computers is still msi packages using GPO. To install KnowBe4 Second Chance. A great software BTW.
First for sure you are reading the Second Chance Product Manual and you don’t see a way how to install it using MSI. After a while you find their guide guide how to install it using a msi is quite nice but the only thing that was missing is a link to the MSI file 😉
What you need to do to find the msi file is quite simple. Run their installer “SecondChanceSetup.exe”
A popup appears
click install and another popup appears
while the popup is open navigate to c:\users\USER\appdata\Local\Temp and find the last new created folder (or second one)
For me it looked like this
Inside the folder you can find the needed SecondChanceSetup.msi
Well copy it somewhere safe. Follow the msi guide.
If you are working with MS software you know that MS is forcing everything to cloud and that their goal is that every app is running in user mode and having full internet access. Well if you don’t want that and have a more restrictive firewall policy. For example disallow every connection and then whitelist the selected programs. Also a good thing is to allow connections only to the specified ports on some specified ip addresses.
Well with Teams it is not so simple. The first thing is to force the teams installation to reside in program files folder and not in every user folder. To achieve this use Teams MSI that thankfully MS is providing. This is what MS is calling Teams Machine-Wide Installer. It basically adds Teams installation to every user account. To change that use this MST (the mst is on the bottom) file that allows you to install Teams normally in program files folder. You can manage everything using your GPO in “Software installation” section. Don’t forget to add the mst in there 😉 You can use Orca to modify it some more.
I use this script to install it from batch for testing:
After everything is installed you need to add some firewall rules. The web is quite scarce on info about outgoing connections but there is a lot of info for incoming ones. There are some nice suggestions that I found here
The modified incoming rules for the program files installation look like this (yes you can add a variable to program files folder). What I read on the web is that you do need a second disabled rule that blocks stuff
Ok now for the outgoing rules. These are… well MS…. MS provides a list of IP addresses and ports here. You can see that teams.exe uses port TCP 443, 80 and UDP 3478-3481.
The rules for it look like this (these 2 rules don’t limit the remote ip address as I am not sure when MS will change them)
Well every sane person would think this is all but no… teams are using the Microsoft.AAD.BrokerPlugin.exe to login and backgroundTaskHost.exe for don’t know what. If you don’t allow outbound traffic for these 2 the login does not work. So because you have to allow outgoing traffic but you don’t want these 2 exe files to connect to anything on the internet you can limit them to MS login servers. So the rules I used are this. Some ip ranges are from the MS list, some I added by inspecting the connection.
shubell's blog 