Sunday, December 29, 2013

Check status of IMAP server

Check status of IMAP server


The Internet Message Access Protocol (commonly known as IMAP) is an Application Layer Internet protocol that allows an e-mail client to access e-mail on a remote mail server. The current version, IMAP version 4 revision 1 (IMAP4rev1), is defined by RFC 3501. An IMAP server typically listens on well-known port 143.

I had configured a Dovecot server with IMAP status, for many users , so I needed a mechanism to check if the server is responding on client requests during the high traffic. I wanted to do this using a Cron job and a simple script. This script will telnet to the IMAP port on the Linux server and check the status every 60 seconds. This is how often I configured the Cron job, it can be configured on every 5 minutes or so.


Now let us take a look on this simple code I wrote:

#!/bin/bash
#http://itstuffallaround.blogspot.com/
#program to check if connection is possible with Dovecot and log errors and success full connections

if telnet localhost 143 </dev/null 2>&1 | grep -q Escape; then
  echo "Connected Dovecot on $(date)" >> DOVSTATUS.txt
else
  echo "No connection to Dovecot on $(date)"  >> DOVSTATUS.txt
fi


The simple BASH language script is constructed of a single loop, that telnets to port 143 and returns the status of the service to a dovstatus.txt file. 
The parameter /dev/null 2>&1 was very useful to me, because it will disable returning the on screen prompt for action on telnet, and Escape the login sequence because it is not neccessary, it will redirect both the output and the error streams. Even if your program writes to stderr, that output will not be shown. After this rename the file as .sh and add the execute perrmissions on it. Configure it as a cron job and wait for the results in the dovstatus.txt file.

Feel free to code more!

Wednesday, December 4, 2013

Improved Linux DDOS detection program

Improved Linux DDOS detection program


With a lot of help with some friend on the Linux comunity, I have improved the DDOS detection program on Linux systems. This BASH code gives the IT people possibility to fine list what is currently going on at their servers. And what is more important where from.

The code presented in the following blog is not to be used in loops of any sort becuase it would deny the admin resources to log on.

 #Zeljko Milinovic - http://itstuffallaround.blogspot.com/
 #Cached lookup of ddos whois IP sockets
 #v1.1
 #!/bin/bash
 cachefile="$HOME/ddostestercache"
 # return 0 if address is to be filtered from the processed
 filter()
 {
 case "$1" in
 0.* | 127.* | 10.* | 172.1[6-9].* | 172.2[0-9].* | 172.3[0-1].* | 192.168.* | 169.254.*)
 return 0
 ;;
 esac
 return 1
 }
 remote_ips()
 {
 # print only IPv4 addresses
 netstat -tun4 | awk '/:/ {gsub(/:.*/,"",$5);print $5}' | sort -n | uniq -c
 }
 get_country()
 {
 local country=$(sed -nr "s/^$1 (.*)/\1/p" $cachefile 2>/dev/null)
 if [ -z "$country" ];then
 # some queries produce multiple lines so for now use only the first line..
 country=$(whois "$1" | sed -nr 's/^country:[[:space:]]+(.*)/\1/ip' | head -1)
 country=${country:-unknown}
 # cache search result for future use
 echo "$1 $country" >> $cachefile
 fi
 # let's not print the text "unknown" to screen
 [ "$country" = "unknown" ] && unset country
 echo "$country"
 }
 remote_ips | while read count ip;do
 if ! filter $ip;then
 echo "$count $ip $(get_country $ip)"
 fi
 done


And finally the output for the script:

1 50.31.xxx.xxx US
9 98.28.xxx.xxx DK
1 109.12.xxx.xxx BA

As we can see, in the output we have 3 IP addresses, numbered, listed with concurrent connections , and their country origin. This is very useful to detect where from is the attack, and to mitigate fast.

Feel free to code more and comment.