Home

check_dnsbl: a simple Nagios plugin

2006/10/16

One way to deal with rogue virus spamming client machines is to do what AOL does. In our case this is not an acceptable choice. Therefore we redirect all rogue port 25/tcp traffic to a relay server1 where we simply check for virii in the outgoing email messages. Such a method has the side effect that this server sometimes ends up in bl.spamcop.net. In order to know when this happens I wrote this simple Nagios plugin, check_dnsbl:

#!/usr/bin/perl -w
#
# yiorgos, Fri Oct 13 16:09:52 EEST 2006
# Normally this *must* follow the Nagios plugin guidelines:
# http://nagiosplug.sourceforge.net/developer-guidelines.html
#

# Yes these three lines are needed because of the embedded Perl interpreter
use vars;
use strict;
my($revip, $dnsbl, $ans);

$revip = shift or die "you must give a reversed IP address";
$dnsbl = shift or die "you must give a DNSBL";

open DNSBL, "/usr/bin/dig -4 $revip.$dnsbl a |" or die;
while(<DNSBL>) {
  chop;
  if (m/^;; ANSWER SECTION:/) {
    $ans = <DNSBL>
    close DNSBL;
    print "$dnsbl STATUS: ", $ans;
    exit 2;
  }
}
close DNSBL;

print "$dnsbl STATUS: OK";
exit 0;

Of course you can hack check_dnsbl to include more DNSBLs. This is simply a proof-of-concept that does the job fine. It is not a complete plugin. If you want to make a more complete plugin you have to read through the Nagios plugin developer guidelines.

Update: A final version of the check_dnsbl plugin can be downloaded from here.  The final version checks for $HOSTNAME$ being listed in various DNSBLs specified in an array (Yes @dnsbl_list is specified inside the source.  You can use an external file to specify the array and have the Perl interpreter require it if you don’t like it this way).  It also uses Net::DNS instead of opening a pipe to dig which makes it considerably faster.

[1] in Greek

Advertisements

3 Responses to “check_dnsbl: a simple Nagios plugin”

  1. Jermaine Says:

    What I want to do on my blog, is every few hours take the oldest post and move it to the
    front of the queue, all automatically. Anyone know if there is a plugin that can do this or
    a simple way to set up another plugin to do this (use my own feed perhaps)?
    Thanks.

  2. adamo Says:

    My post is about a simple Nagios plugin that I wrote. Not about WordPress’ plugins. For those you should check the WordPress forums.

  3. Peter Says:

    #!/bin/bash
    #
    # check_spamcop nagios plugin 0.1
    # Nagios plugin that checks if $1 is listed at $2
    #
    # Copyright(c) 2005 Peter Senna Tschudin http://parahard.blogspot.com
    #

    #nagios plugins dir (check_dns is needed)
    nagios_plugin=/usr/lib/nagios/plugins

    print_usage() {
    clear
    echo “check_spamcop. Peter Senna Tschudin”
    echo “Usage: check_spamcop ”
    echo “Usage: check_spamcop 64.233.171.109 bl.spamcop.net”
    }

    if [ $# -lt 2 ]; then
    print_usage
    exit 3
    fi

    #reverse ip
    oc1=`echo $1 | cut -d ‘.’ -f 1`
    oc2=`echo $1 | cut -d ‘.’ -f 2`
    oc3=`echo $1 | cut -d ‘.’ -f 3`
    oc4=`echo $1 | cut -d ‘.’ -f 4`
    reverseip=$oc4.$oc3.$oc2.$oc1.$2

    #is it listed?
    $nagios_plugin/check_dns -H $reverseip > /dev/null
    exitstatus=$?

    if [ “$exitstatus” = “0” ]; then
    echo “CRITICAL: $1 is listed at $2”
    exit 2
    fi

    if [ “$exitstatus” = “2” ]; then
    echo “OK: $1 is not listed at $2”
    exit 0
    fi

    exit 3


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: