[Nagiosplug-devel] Checking for unknown NIS servers?

C. Bensend benny at bennyvision.com
Mon Feb 13 22:34:01 CET 2006

> What about using it's mac address to quarantine it?
> We've done something similar in the past for virus/worm infected
> machines.  Basically we used tcpdump to capture find what we were
> looking for and that output was processed by a perl script.  When a
> computer was found it's IP address was written to a file. Every minute
> that file would be read and a tool to spoof the mac address was put into
> action.  Once running, it caught nearly all that offending machines in
> the first 5-10 minutes... and continued to catch machines as they were
> turned on.

That would probably work well for worms and viruses, but an NIS
server doesn't broadcast anything, nor does it scan IPs.  It
simply responds to a broadcast.  Hence, unless you send a broadcast
from the Nagios server and use tcpdump to watch for replies, I don't
think this is viable for my situation.

I really don't think this is a hard problem to solve...  The plugin
would simply act as an NIS client, send an NIS broadcast, collect
the replies, and compare them against the list of "good" NIS
servers.  That's it, in a nutshell.  Yes, there are a few other
details like timeouts and number of broadcasts, but the basic
functionality doesn't seem too complex.

I simply can't code well enough to do it.  :)  But, I'll poke at
it, and see what if I can come up with anything useful.


"A computer lets you make more mistakes faster than any invention
in human history, with the possible exceptions of handguns and
tequila."                                          -- Dave Pooser

More information about the Devel mailing list