#!/usr/bin/ksh ######################################### # Author: Emery Rudolph # # Date: Mar 03, 2009 # # Purpose: This script takes the count # # for total queries and sets a # # threshold above which a notification # # email is sent to alert sysadmins. # # There is no action to take upon the # # server. Inform INET, so that they can # # monitor and perhaps block the address # ######################################### dir=/var/run err_dir=$dir/err_msgs integer NUM integer getValue integer TRIGGER=10000 cd $dir sleep 3 cat /dev/null > $err_dir/stdQueryMsg rm stdQuery2 mv stdQuery1 stdQuery2 touch stdQuery1 getValue=$(grep -w QUERY named.stats | awk '{print $1}') echo "$getValue" >stdQuery1 var1=$(cat stdQuery1) var2=$(cat stdQuery2) echo "VAR1=$var1" echo "VAR2=$var2" NUM="$var1"-"$var2" echo "Variable NUM=$NUM" echo "" echo $NUM > $dir/sitescope.standard.value if(("$NUM">"$TRIGGER")) then echo "QUERY ALARM" echo "##########################################################" >> $err_dir/stdQueryMsg echo "The `uname -n` server is experiencing an unusually high " >> $err_dir/stdQueryMsg echo "level of Standard Queries, which could be an " >> $err_dir/stdQueryMsg echo "indication of a DOS attack. Please inspect the current " >> $err_dir/stdQueryMsg echo "activity in the $dir/Errors log and if confirmed, " >> $err_dir/stdQueryMsg echo "contact the INET group to possibly block the offending " >> $err_dir/stdQueryMsg echo "IP address if warranted. " >> $err_dir/stdQueryMsg echo "______________________________________________________ " >> $err_dir/stdQueryMsg echo "CURRENT Total Queries: $NUM/minute " >> $err_dir/stdQueryMsg echo "______________________________________________________ " >> $err_dir/stdQueryMsg echo "##########################################################" >> $err_dir/stdQueryMsg mailx -s "TOTAL Queries on `uname -n` are running $NUM/min" -r "DOS@`uname -n`.domain.edu" email_removed@domain.edu < $err_dir/stdQueryMsg fi exit