Check status of IMAP server

Check status of IMAP server

The Internet Message Access Protocol (commonly known as IMAP) is an Application Layer Internet protocol that allows an e-mail client to access e-mail on a remote mail server. The current version, IMAP version 4 revision 1 (IMAP4rev1), is defined by RFC 3501. An IMAP server typically listens on well-known port 143.

I had configured a Dovecot server with IMAP status, for many users , so I needed a mechanism to check if the server is responding on client requests during the high traffic. I wanted to do this using a Cron job and a simple script. This script will telnet to the IMAP port on the Linux server and check the status every 60 seconds. This is how often I configured the Cron job, it can be configured on every 5 minutes or so.

Now let us take a look on this simple code I wrote:

#!/bin/bash

#http://itstuffallaround.blogspot.com/

#program to check if connection is possible with Dovecot and log errors and success full connections

if telnet localhost 143 </dev/null 2>&1 | grep -q Escape; then

  echo "Connected Dovecot on $(date)" >> DOVSTATUS.txt

else

  echo "No connection to Dovecot on $(date)"  >> DOVSTATUS.txt

fi

The simple BASH language script is constructed of a single loop, that telnets to port 143 and returns the status of the service to a dovstatus.txt file. 

The parameter /dev/null 2>&1 was very useful to me, because it will disable returning the on screen prompt for action on telnet, and Escape the login sequence because it is not neccessary, it will redirect both the output and the error streams. Even if your program writes to stderr, that output will not be shown. After this rename the file as .sh and add the execute perrmissions on it. Configure it as a cron job and wait for the results in the dovstatus.txt file.

Feel free to code more!

Improved Linux DDOS detection program

Improved Linux DDOS detection program

With a lot of help with some friend on the Linux comunity, I have improved the DDOS detection program on Linux systems. This BASH code gives the IT people possibility to fine list what is currently going on at their servers. And what is more important where from.

The code presented in the following blog is not to be used in loops of any sort becuase it would deny the admin resources to log on.

 #Zeljko Milinovic - http://itstuffallaround.blogspot.com/

 #Cached lookup of ddos whois IP sockets

 #v1.1

 #!/bin/bash

 cachefile="$HOME/ddostestercache"

 # return 0 if address is to be filtered from the processed

 filter()

 {

 case "$1" in

 0.* | 127.* | 10.* | 172.1[6-9].* | 172.2[0-9].* | 172.3[0-1].* | 192.168.* | 169.254.*)

 return 0

 ;;

 esac

 return 1

 }

 remote_ips()

 {

 # print only IPv4 addresses

 netstat -tun4 | awk '/:/ {gsub(/:.*/,"",$5);print $5}' | sort -n | uniq -c

 }

 get_country()

 {

 local country=$(sed -nr "s/^$1 (.*)/\1/p" $cachefile 2>/dev/null)

 if [ -z "$country" ];then

 # some queries produce multiple lines so for now use only the first line..

 country=$(whois "$1" | sed -nr 's/^country:[[:space:]]+(.*)/\1/ip' | head -1)

 country=${country:-unknown}

 # cache search result for future use

 echo "$1 $country" >> $cachefile

 fi

 # let's not print the text "unknown" to screen

 [ "$country" = "unknown" ] && unset country

 echo "$country"

 }

 remote_ips | while read count ip;do

 if ! filter $ip;then

 echo "$count $ip $(get_country $ip)"

 fi

 done

And finally the output for the script:

1 50.31.xxx.xxx US

9 98.28.xxx.xxx DK

1 109.12.xxx.xxx BA

As we can see, in the output we have 3 IP addresses, numbered, listed with concurrent connections , and their country origin. This is very useful to detect where from is the attack, and to mitigate fast.

Feel free to code more and comment.