Archive

Archive for September, 2010

Nagios alerts via SMS with gnokii (tutorial)

September 23, 2010 Leave a comment

Like many IT professionals, I use nagios to monitor many systems and services. Some of these are security related (the SIEM system just registered an incident), while others can span both operational and security disciplines (the web server is down…why is the web server down?).

While all of the geeks I work with are able to get email alerts 24/7 through the magic of smart phones, there were still potential gaps in this method of notification. What if the email server is down? How about if the active sync server, firewall, internet connection, or core switching is down?

Getting alerts via SMS seemed like a great solution to this problem. My initial route to this functionality was using the cell provider’s email-to-SMS gateway. This provided alerts that went out if the mail or active sync servers were down, but didn’t really address a failure at the firewall, internet connection or switching infrastructure.

Some people I bounced ideas off of suggested using a cellular modem (a.k.a. air card). This did seem possible, but getting the system to dial out when needed seemed overly complex. A Verizon MiFi was also suggested. While that lacked the complexity, I was worried that the always-on connection could function as a back-door into the network. What I really wanted was a way to send SMS messages directly via the cell network.

Since I have an android phone with root access, I was hoping to find a way to use Android’s native debugging system (adb) to create a text message using the adb shell and a simple shell script. I failed to find a way to do this. I’d still like to figure out a way to make this happen, so please leave a comment if you have solved this puzzle!

Giving up on the Android route, a little googling led me to gnokii. gnokii is designed to have some pretty wide-ranging functionality, but all I wanted it for was the ability to send an SMS message via an attached cell phone. I went down several blind alleys before I got a working system set up, but I did finally get it running. I happy to say it works exactly as I had hoped. Click here for the full tutorial.

Advertisements
Categories: Tech Tags: , ,

BIND 9.3 and malwaredomains.com

September 2, 2010 2 comments

I have been using a DNS blacklist from http://www.malwaredomains.com with BIND 9.3.x to redirect spyware communication to an internal honeypot machine. I got an alert this morning that the system was no longer responding to DNS requests. When I tried to manually start named, I found that I was getting an error due to an underscore in one of the entries in the blacklist.

Depending on where you get your information, underscores are either completely not-RFC compliant, or a normal and accepted part of DNS. What I didn’t understand was why I wasn’t one of half a million users of malwaredomains.com running into this same situation? If underscores are bad, malwaredomains.com should have gotten quite a few complaints before I jumped in. If underscores are ok, why is my BIND falling over when it finds one?

It turns out that prior to 9.3, even though there is a configuration option to check domain names for validity, BIND either didn’t check the names or checked in a different way that didn’t choke on underscores. Now in version 9.3, the checking has been turned on/expanded and it isn’t very happy when it finds that nasty underscore.

This is too bad, because anyone running a BIND server in an Active Directory environment will tell you that there are some DNS records with underscores in the names that are pretty important to the proper functioning of AD. I have a feeling this will be biting a lot of people migrating from older versions of BIND.

Whether or not underscores are ok, I needed to get my server running again. I got named up temporarily by deleting the offending record, but that wasn’t a permanent solution. One of my scripts would be downloading a new copy of the list at midnight. The record in question was a legitimately bad host that could be successfully resolved by a client, so I decided against modifying my script to parse the blacklist post-download and filter out any records containing an underscore. Instead, I did some research and then added the following two lines to the “options” section of my named.conf:

check-names master ignore;
check-names response ignore;

Restart named and poof! everything’s happy again.

UPDATE (10/01/10): After some correspondence between myself and the maintainer, malwaredomains.com has started adding the “check-names ignore;” on each line of their file that contains an underscore. Sweet!