Results 1 to 10 of 10
  1. #1
    Untangle Ninja
    WebFooL's Avatar
    Join Date
    Jan 2009
    Location
    Sweden (Eskilstuna)
    Posts
    5,273

    Default Switch Ruleset / Settings.js from console

    I can see that the rules are Symlinks to Specific save states.
    So example:
    /usr/share/untangle/settings/untangle-node-spamblocker/settings_7.js -> ./settings_7.js-version-2016-07-15-194846.697.js

    Is there a way form the console to change the symlink and make the old ruleset active.

    I can change the symlink but even with a ucli stop i and ucli start the ruleset will not change.


    Another thought that I can add is that if the Alert engine could be used to do Actions when if founds an event one could create custom rules in specific to an event.

  2. #2
    Untangle Ninja
    WebFooL's Avatar
    Join Date
    Jan 2009
    Location
    Sweden (Eskilstuna)
    Posts
    5,273

    Default

    Just to be super clear on what I am trying to do.

    Currently you can not (to my knowledge) get a alert on sessions in a app.
    In my case it is Spam blocker where a client has had a few SMTP DDos attempts to him.

    He now runs with the max settings of 100 and want to take action when sessions is above 50 to enable Tarpit/Greylist and modify some settings.

    Psudocode:
    Code:
    #!/bin/bash
    #To Find out what instance you want to count sessions form run "ucli instances"
    
    
    instancenr=7 #in my case this is Spamblocker for the main rack
    logfile=log.txt
    timestamp=`date --rfc-3339=seconds`
    
    
    #Print active sessions to temp file
    ucli sessions $instancenr > test.tmp
    
    
    #Count lines with :25 in them
    Port25=$(cat test.tmp | grep -c ":25")
    
    
    if [ $Port25 -lt 50 ]
    then
      echo "$timestamp Count is $Port25 I do nothig" >> $logfile
    else
      echo "$timespamp Count is $Port25 I Need to do Symlink change" >> $logfile
      #Symlink command goes here
      #/usr/share/untangle/settings/untangle-node-spamblocker
      #settings_7.js -> ./settings_7.js-version-2016-07-15-194846.697.js
      #ln -sfn directory link_name
    fi

  3. #3
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    You can just setup a threshold alert that alerts when there are too many SMTP sessions in a short time period.

    similar to the suspicious ssh rule.
    If its distributed and not from a single IP, you don't want to group by IP though.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  4. #4
    Untangle Ninja
    WebFooL's Avatar
    Join Date
    Jan 2009
    Location
    Sweden (Eskilstuna)
    Posts
    5,273

    Default

    Hmm..

    And it looks like it count sessions globally.

    Can one add a filed so it just counts for one rack?

  5. #5
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    Sure just add a condition where policy = 3.

    It won't change the ruleset though, but neither will changing the symlink without rebooting the untangle-vm.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #6
    Untangle Ninja
    WebFooL's Avatar
    Join Date
    Jan 2009
    Location
    Sweden (Eskilstuna)
    Posts
    5,273

    Default

    Hmm my 12.1.0 units dose not any "suspicious ssh" rules
    Any one that can post a sample?

  7. #7
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    ....
    Attached Images Attached Images
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  8. #8
    Untangle Ninja
    WebFooL's Avatar
    Join Date
    Jan 2009
    Location
    Sweden (Eskilstuna)
    Posts
    5,273

    Default

    Thanks..
    Is there any reason why none of my 12.1.0 units have this rule?

  9. #9
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    Its a part of new defaults.
    If you upgraded you keep your existing settings.

    You can remove reports from the rack and reinstall it to get the new defaults.

    We generally don't add settings conversions on upgrades except for important things.
    That rule is just meant to be an example of a way to use load.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  10. #10
    Untangle Ninja
    WebFooL's Avatar
    Join Date
    Jan 2009
    Location
    Sweden (Eskilstuna)
    Posts
    5,273

    Default

    Ok..

    I will install a new vm and export any cool new alerts to import on my Upgraded boxes.

    Thanks!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2