Ed Ravin | 3 Jul 20:43 2007
Picon

rbl.monitor - warn if mailservers are in a blacklist

I've rewritten the prototype rbl.monitor that was submitted by Tim
Hanes a while back.  This version uses asynchronous DNS requests
(using Net::DNS), and allows for an external list of the RBL zones
to check.  It also has a master timeout in case it gets stuck on
any of the DNS queries.

Please let me know what you think of it.  I haven't put this in
Sourceforge yet, I want to make sure it runs in at least one other
environment besides mine.

	-- Ed

#!/usr/bin/perl

# rbl.monitor - check RBL blacklists for an IP address.  Uses asynch I/O
# to send all the requests simultaneously

my $usage="\
Usage: rbl.monitor [options] hostname [...]

Options [and default values]:

    --listfile <list of RBL domains>                 [preset list, see script]
    --rbllist <comma separated list of RBL domains>
    --timeout  <master timeout>                      [60 seconds]
    --debug                                          [off]
";

(Continue reading)

Marco A P D'Andrade | 4 Jul 02:17 2007
Picon

Re: rbl.monitor - warn if mailservers are in a blacklist

One suggest...

Use other format to GetOptions ...

#-- don´t need default values (you use boolean check)
my ( $listfile, $rbllist, $debug );

  GetOptions(
     'listfile=s' => \$listfile,
     'rbllist=s' => \$rbllist,
     'debug' => \$debug,
  );

Usualy you can check valid of parameters sequence

It have the same effect, but you don´t need to use %opt hash.

 my $optOk GetOptions( ... , 'help' => \$help );

  unless ( $optOk || $help ) {
     print $usage, "\n";
     exit 1;
  }


Your script is very good !! But I´m an perl monger ;)


2007/7/3, Ed Ravin <eravin <at> panix.com>:
I've rewritten the prototype rbl.monitor that was submitted by Tim
Hanes a while back.  This version uses asynchronous DNS requests
(using Net::DNS), and allows for an external list of the RBL zones
to check.  It also has a master timeout in case it gets stuck on
any of the DNS queries.

Please let me know what you think of it.  I haven't put this in
Sourceforge yet, I want to make sure it runs in at least one other
environment besides mine.

        -- Ed


_______________________________________________
mon mailing list
mon <at> linux.kernel.org
http://linux.kernel.org/mailman/listinfo/mon



_______________________________________________
mon mailing list
mon <at> linux.kernel.org
http://linux.kernel.org/mailman/listinfo/mon
Ed Ravin | 12 Jul 16:53 2007
Picon

mon.cgi: patch to untaint monitor output

One of my custom monitors was printing the output of a syslog entry 
as its summary output.  The syslog entry was from a mail program,
so it had stuff like "to=<whatever <at> example.com>".  But in mon.cgi's
output in my Web browser, it just said "to=".

This is because mon.cgi is just dropping the output into a web page,
where the browser parses it for HTML.  Years ago we added a call
to HTML::Entities:encode_entities to mon.cgi so that messages typed
in with the ACK command would not get confused with HTML - the attached
patch extends that functionality to monitor output.

There are security implications here - if an outside party could get
control of the output of a Mon script (easy in my case, since the data
comes from syslog and includes error messages from a remote host), that
outside party could cobble together some HTML that eventually gets
executed in the Mon user's browser (i.e. cross-site scripting).

The attached patch renames the "untaint_ack_msgs" parameter to
"untaint_all_msgs" and, when set, not only untaints ACK messages,
but also untaints last_summary and last_detail output before displaying
it.

I recommend that we remove this parameter completely and always untaint
messages before displaying them in the CGI interface - it's the right
thing to do.  The cost is one more Perl module dependency, but there
are already a host of Perl modules needed to run mon and one more is
not going to hurt much.

I haven't worked on this code for several years so I may have missed
something - an extra pair of eyes on this patch would be appreciated.

	-- Ed
--- mon.cgi.pl	2005-04-21 16:56:29.000000000 -0400
+++ mon2.cgi.pl	2007-07-12 10:32:59.000000000 -0400
 <at>  <at>  -143,7 +143,7  <at>  <at> 
 	    $monhost_and_port_args $monhost_and_port_args_meta
 	    $has_read_config $moncgi_config_file $cf_file_mtime
 		$mon11
-	    $untaint_ack_msgs  <at> show_watch  <at> no_watch $show_watch_strict
+	    $untaint_all_msgs  <at> show_watch  <at> no_watch $show_watch_strict
 	    $required_mon_client_version);
 # Formatting-related global vars
 use vars qw($BGCOLOR $TEXTCOLOR $LINKCOLOR $VLINKCOLOR 
 <at>  <at>  -224,7 +224,7  <at>  <at> 
     $cookie_name = "mon-cookie";           #name of cookie given to browser for auth
     $cookie_path = "/";                  # path for auth cookie
                                      # Set this to "" for auto-path set
-    $untaint_ack_msgs = "yes";           # Use HTML::Entities to scrub user-supplied ack messages (recommended!)
+    $untaint_all_msgs = "yes";           # Use HTML::Entities to scrub user-supplied ack messages (recommended!)
     # Define optional regexes in the  <at> show_watch variable,
     # and only hostgroups which match one of these regexes
     # will be shown.
 <at>  <at>  -367,10 +367,10  <at>  <at> 
 #
 # Used to escape HTML in ack's
 #
-if ($untaint_ack_msgs =~ /^y(es)?$/i) {
+if ($untaint_all_msgs =~ /^y(es)?$/i) {
     eval "use HTML::Entities" ;
 } else {
-    undef $untaint_ack_msgs;
+    undef $untaint_all_msgs;
 }

 
 <at>  <at>  -1104,7 +1104,7  <at>  <at> 
 	    # user requested it, otherwise, just pass it on through 
             # as is.
 	    if ( $op{$group}{$service}{'ack'} != 0 ) {
-		if ($untaint_ack_msgs) {
+		if ($untaint_all_msgs) {
 		    #
 		    # We untaint
 		    #
 <at>  <at>  -1186,7 +1186,8  <at>  <at> 
 		$webpage->print("<td align=left bgcolor=\"$td_bg_color\">");
 		$webpage->print("$service_disabled_string<a href=\"$url?${monhost_and_port_args}command=svc_details&amp;args=$group,$service\">");
 		$webpage->print("<font size=+1><b>${service}</b></font></a>${desc_string} : \n");
-		$webpage->print("<font size=+1>$s->{last_summary}</font>\n");
+		$webpage->print("<font size=+1>" .
+			$untaint_all_msgs ?  HTML::Entities::encode_entities($s->{last_summary}) :
$s->{last_summary} . "</font>\n");
 		$webpage->print("<br>($failure_string)");
 		$webpage->print(" ${service_acked_string}") if $service_acked_string ne "";
 		$webpage->print("</td>\n");
 <at>  <at>  -1642,9 +1643,18  <at>  <at> 
 	$webpage->print("</td></tr>");

 	# Now print the detail and summary information for the failed service
-	$op{$group}->{$service}->{'last_summary'} = "&lt;not specified&gt;" if
$op{$group}->{$service}->{'last_summary'} eq "" ;
-	$op{$group}->{$service}->{'last_detail'} = "&lt;not specified&gt;" if
$op{$group}->{$service}->{'last_detail'} eq "" ;
-	$op{$group}->{$service}->{'last_detail'} =~ s/\n/<BR>/g;
+	if ($op{$group}->{$service}->{'last_summary'} eq "") {
+		$op{$group}->{$service}->{'last_summary'} = "&lt;not specified&gt;";
+	} elsif ($untaint_all_msgs) {
+		$op{$group}->{$service}->{'last_summary'} = HTML::Entities::encode_entities($op{$group}{$service}{'last_summary'})
+	}
+	if ($op{$group}->{$service}->{'last_detail'} eq "" ) {
+		$op{$group}->{$service}->{'last_detail'} = "&lt;not specified&gt;"
+	} elsif ($untaint_all_msgs) {
+		$op{$group}->{$service}->{'last_detail'} = HTML::Entities::encode_entities($op{$group}{$service}{'last_detail'})
+	} else {  # not much of an untaint
+		$op{$group}->{$service}->{'last_detail'} =~ s/\n/<BR>/g;
+	};
 	$webpage->print("<tr><td width=25%><font size=+1 color=\"$font_color\">Failure summary</font>:</td><td>$op{$group}->{$service}->{'last_summary'}</td></tr>\n");
 	$webpage->print("<tr><td width=25%><font size=+1 color=\"$font_color\">Failure detail</font>:</td><td>$op{$group}->{$service}->{'last_detail'}</td></tr>\n");
 	$webpage->print("</table>");
 <at>  <at>  -3651,8 +3661,8  <at>  <at> 
 			return 0;
 		    }
 		    $dtlog_max_failures_per_page = $val;
-		} elsif ($key eq "untaint_ack_msgs") {
-		    $untaint_ack_msgs = $val;
+		} elsif ($key eq "untaint_all_msgs") {
+		    $untaint_all_msgs = $val;
 		} elsif ($key eq "watch") {
 		    push( <at> show_watch, $val);
 		} elsif ($key eq "show_watch_strict") {
_______________________________________________
mon mailing list
mon <at> linux.kernel.org
http://linux.kernel.org/mailman/listinfo/mon
Todd Lyons | 12 Jul 17:47 2007

Re: rbl.monitor - warn if mailservers are in a blacklist


On Tue, Jul 03, 2007 at 09:17:01PM -0300, Marco A P D'Andrade wrote:

>   Usualy you can check valid of parameters sequence
>   It have the same effect, but you don't need to use %opt hash.

Is this just a preference or is there:
a) a performance improvement
b) a readability improvement (obviously yes)
c) other improvement?

>    my $optOk GetOptions( ... , 'help' => \$help );
>     unless ( $optOk || $help ) {
>        print $usage, "\n";
>        exit 1;
>     }

Very nice, I'm embarrased to admit this, but I had never actually
checked the perldoc page so I didn't know that GetOptions returned a
value.  Makes sense and I can see its usefulness.

Yes, you are a perl monger :-)
--

-- 
Regards...		Todd
when you shoot yourself in the foot, just because you are so neurally
broken that the signal takes years to register in your brain, it does
not mean that your foot does not have a hole in it.      --Randy Bush
Linux kernel 2.6.17-6mdv   2 users,  load average: 0.01, 0.01, 0.00
Owen Crow | 16 Jul 17:41 2007
Picon

Monitor for SSL Certificate expiration date

I've seen some tests mentioned in this list, but they point to broken links.

It seems like this can be done with the openssl command line, but I
can only get certificate date information _after_ the certificate
expires.  If anyone knows how to extract an SSL certificate's
expiration date remotely, I'd be happy to convert that into a monitor
script.

I'm primarily interested in HTTPS, but it seems like this would be
generic for any SSL/TLS-protected service.

Thanks,
Owen
Jan-Frode Myklebust | 16 Jul 19:14 2007
Picon

Re: Monitor for SSL Certificate expiration date

On 2007-07-16, Owen Crow <owen.crow <at> gmail.com> wrote:
>
> It seems like this can be done with the openssl command line, but I
> can only get certificate date information _after_ the certificate
> expires.  If anyone knows how to extract an SSL certificate's
> expiration date remotely, I'd be happy to convert that into a monitor
> script.
>

Thanks for the offer, I could use something like that :-)

$ echo "" | openssl s_client -connect mail.altibox.no:443 2>/dev/null | sed -ne '/-BEGIN
CERTIFICATE-/,/-END CERTIFICATE-/p' |openssl x509 -text|grep "Not After :"

  -jf
Ed Ravin | 16 Jul 19:47 2007
Picon

Re: Monitor for SSL Certificate expiration date

On Mon, Jul 16, 2007 at 10:41:15AM -0500, Owen Crow wrote:
> I've seen some tests mentioned in this list, but they point to broken links.
> 
> It seems like this can be done with the openssl command line, but I
> can only get certificate date information _after_ the certificate
> expires.  If anyone knows how to extract an SSL certificate's
> expiration date remotely, I'd be happy to convert that into a monitor
> script.

Yes, I've wanted to do this for a long time.  You just inspired me to
read the man pages and it looks pretty straightforward to use the
openssl command line:

   # download the certificate:
   openssl s_client -connect server.example.com:443 < /dev/null  > testme.pem

   # print out the expiration date:
   openssl x509 -noout -in testme.pem  -enddate

The output showing the expiration date looks like this:

   notAfter=Nov  3 18:58:34 1999 GMT

Which should be easy to feed to Date::Parse::str2time() to turn into a ctime.

> I'm primarily interested in HTTPS, but it seems like this would be
> generic for any SSL/TLS-protected service.

The openssl command line man page says it also supports SMTP and POP
protocol for downloading certificates:

  openssl s_client -connect mail.example.com:25 -starttls smtp < /dev/null > testme.pem

Or "-starttls pop3" for a POP server.  No IMAP support, unfortunately.

Here's a possible starting point:

   sslcert.monitor [--protocol {https|smtp|pop3}] [--port NNN]
                   [--expirewarn NN] host [...]

Where the port number defaults to 443, and expirewarn defaults to 30 days
(i.e. alarm if the server's certificate expiration date is within 30 days).

Later on we could add bells and whistles to check the verification chain,
warn on self-signed certs, 

If you start the script I'll help you finish it.  I suggest writing it
in Perl since I know it'll have no problem parsing the expiration date
output.
David Nolan | 16 Jul 19:58 2007
Picon

Re: Monitor for SSL Certificate expiration date

Argh, sent this from the wrong address, so its sitting in the admin
queue for the mailing list...

-David

On 7/16/07, David Nolan <vitroth <at> cmu.edu> wrote:
> Here's a copy of https.monitor with certificate expiration support
> added.  I thought I had commited this to the mon-contrib CVS area, but
> its not there... I'll fix that.
>
> -David
>
> On 7/16/07, Owen Crow <owen.crow <at> gmail.com> wrote:
> > I've seen some tests mentioned in this list, but they point to broken links.
> >
> > It seems like this can be done with the openssl command line, but I
> > can only get certificate date information _after_ the certificate
> > expires.  If anyone knows how to extract an SSL certificate's
> > expiration date remotely, I'd be happy to convert that into a monitor
> > script.
> >
> > I'm primarily interested in HTTPS, but it seems like this would be
> > generic for any SSL/TLS-protected service.
> >
> > Thanks,
> > Owen
> >
> > _______________________________________________
> > mon mailing list
> > mon <at> linux.kernel.org
> > http://linux.kernel.org/mailman/listinfo/mon
> >
> >
>
>
Attachment (https.monitor): application/octet-stream, 6788 bytes
_______________________________________________
mon mailing list
mon <at> linux.kernel.org
http://linux.kernel.org/mailman/listinfo/mon
Ed Ravin | 16 Jul 19:59 2007
Picon

Re: Monitor for SSL Certificate expiration date

On Mon, Jul 16, 2007 at 07:14:38PM +0200, Jan-Frode Myklebust wrote:
> On 2007-07-16, Owen Crow <owen.crow <at> gmail.com> wrote:
> >
> > It seems like this can be done with the openssl command line, but I
> > can only get certificate date information _after_ the certificate
> > expires.  If anyone knows how to extract an SSL certificate's
> > expiration date remotely, I'd be happy to convert that into a monitor
> > script.
> >
> 
> Thanks for the offer, I could use something like that :-)
> 
> $ echo "" | openssl s_client -connect mail.altibox.no:443 2>/dev/null | sed -ne '/-BEGIN
CERTIFICATE-/,/-END CERTIFICATE-/p' |openssl x509 -text|grep "Not After :"

No need to parse out the certificate with sed - as implied in my previous
message, openssl seems to be able to ignore the non-certificate portions
of the file:

    openssl s_client -connect www.example.com:443 2>/dev/null </dev/null | openssl x509 -noout -enddate

But if I was scripting this, I would call the two openssl commands
separately and save the output to a file, so that I could detect failures
more reliably...
Allan Wind | 16 Jul 22:04 2007

Re: Monitor for SSL Certificate expiration date

On 2007-07-16T13:59:10-0400, Ed Ravin wrote:
> But if I was scripting this, I would call the two openssl commands
> separately and save the output to a file, so that I could detect failures
> more reliably...

I probably will if no one else does or have one available.  The monitor 
should also allow you to validate a certificate given a file system 
path.

/Allan

Gmane