Soluții

PowerShell script to retrieve security-related events

PowerShell script to retrieve security-related events from the Windows Event Log, specifically from the Security log.

# Define the log name and security-related event IDs (adjust as needed)
$logName = “Security”
$securityEventIDs = @(4624, 4625, 4672, 4688, 4634, 4648, 4768, 4776) # Common security event IDs

# Get security events from the Windows Event Log
$securityEvents = Get-WinEvent -LogName $logName -MaxEvents 50 | Where-Object { $_.Id -in $securityEventIDs }

# Display the results
if ($securityEvents) {
foreach ($event in $securityEvents) {
Write-Output “———————————-”
Write-Output “Time: $($event.TimeCreated)”
Write-Output “Event ID: $($event.Id)”
Write-Output “Message: $($event.Message)”
}
} else {
Write-Output “No security events found.”
}

Event ID Description
4624 Successful login
4625 Failed login
4672 Special privileges assigned (admin logins)
4688 A new process was created
4634 Logoff event
4648 Explicit credential logon (RunAs)
4768 Kerberos authentication (TGT request)
4776 NTLM authentication attempt
[mai mult...]

PowerShell script to retrieve VPN events

PowerShell script to retrieve VPN events from the Windows Event Log. It focuses on events related to VPN connections (RAS and IKEv2).

# Define the log name and event IDs for VPN connections
$logName = “Application”
$vpnEventIDs = @(20225, 20226, 20227, 20255) # Example VPN event IDs

# Retrieve VPN connection events from the Event Log
$vpnEvents = Get-WinEvent -LogName $logName | Where-Object { $_.Id -in $vpnEventIDs }

# Display the results
if ($vpnEvents) {
foreach ($event in $vpnEvents) {
Write-Output “———————————-”
Write-Output “Time: $($event.TimeCreated)”
Write-Output “ID: $($event.Id)”
Write-Output “Message: $($event.Message)”
}
} else {
Write-Output “No VPN events found.”
}

  • Queries the Windows Event Log for VPN-related events
  • Filters based on event IDs typically associated with VPN connections
  • Displays relevant event details.
[mai mult...]

Configurate Bypass Rspamd step by step

Bypassing Rspamd for specific emails, domains, or users requires configuring whitelisting rules and scoring adjustments in Rspamd’s configuration files. Here’s a step-by-step guide to configuring a bypass in Rspamd:

Step 1: Access the Rspamd Configuration Directory

  1. Connect to your server via SSH:

sh

CopyEdit

ssh user@yourserver

2. Navigate to the Rspamd configuration directory:

sh

CopyEdit

cd /etc/rspamd/

Step 2: Whitelist an Email or Domain

To bypass Rspamd filtering for specific senders or domains:

  1. Open the whitelist configuration file (create if it doesn’t exist):

sh

CopyEdit

sudo nano /etc/rspamd/local.d/whitelist_sender.map

2. Add the emails or domains you want to bypass (one per line):

pgsql

CopyEdit

user@example.com

@trusted-domain.com

3. Save and exit (CTRL + X, then Y, then Enter).

4. Now, link this whitelist to Rspamd filtering:

sh

CopyEdit

sudo nano /etc/rspamd/local.d/settings.conf

5. Add the following configuration:

yaml

CopyEdit

whitelist {

priority = “high”;

from = “/etc/rspamd/local.d/whitelist_sender.map”;

apply {

symbols_disabled = [“ALL”];

groups_disabled = [“antivirus”, “antiphishing”, “antispam”];

}

}

 6. Save and exit.

Step 3: Disable Scoring for Whitelisted Senders

If you want to ensure that whitelisted senders have zero spam score:

  1. Edit the scores configuration file:

sh

CopyEdit

sudo nano /etc/rspamd/local.d/metrics.conf

 2. Add:

yaml

CopyEdit

whitelist {

id = “whitelist”;

score = -100;

description = “Whitelisted sender, bypass Rspamd checks”;

}

3. Save and exit.

Step 4: Restart Rspamd

After making changes, restart Rspamd to apply them:

sh

CopyEdit

sudo systemctl restart rspamd

Step 5: Verify the Configuration

To check if the bypass is working:

sh

CopyEdit

rspamc symbols test-email@example.com

  • If the whitelisted sender is working, the spam score should be low or zero.
[mai mult...]