How to configure check_ddos.py plugin

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
jlb4350
Posts: 4
Joined: Fri Oct 25, 2019 11:05 am

How to configure check_ddos.py plugin

Post by jlb4350 »

Hello all. I have installed a plugin called check_ddos.py to help us get notified of SYN attacks on our network. I installed it and ran the check. It works to show the connections of the local Nagios server, but how can I configure this to monitor SYN attacks on our firewall? I have the service set up like this:

Command: $USER1$/check_ddos.py $ARG1$ $ARG2$
arg1: -c 300
arg2: -w 200

The problem is I don't know which host to choose. Do i need to create a host for our firewall and apply that? When I check the command above in putty, it shows 7 connections, but I believe it's monitoring the local server on which Nagios is installed...not the firewall SYN attacks.

Thank you for any help you can provide. I can't seem to find any information on this that was able to get me anywhere.
User avatar
mcapra
Posts: 3739
Joined: Thu May 05, 2016 3:54 pm

Re: How to configure check_ddos.py plugin

Post by mcapra »

I'll assume this is the plugin you're referring to:
https://exchange.nagios.org/directory/P ... os/details

All this plugin does under the hood is run a netstat command and parse the output:

Code: Select all

netstat -antu | grep SYN_RECV | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | grep -v 127.0.0.1 | wc -l
It won't work on anything but a Linux system really. If you have a pfsense, DD-WRT, or some other Linux driven firewall, that's all fine and dandy -- run this plugin there via an agent like NCPA. If you're trying to detect SYN floods on like a Cisco or Barracuda device, this isn't really the plugin for you.

What sort of device are you trying to detect SYN floods on?
Former Nagios employee
https://www.mcapra.com/
jlb4350
Posts: 4
Joined: Fri Oct 25, 2019 11:05 am

Re: How to configure check_ddos.py plugin

Post by jlb4350 »

Thank you for the reply. I was thinking it would monitor the firewall, but since it needs to be linux, we have BigIP F5s. Would it work to monitor new connections on that?

Thanks again!
benjaminsmith
Posts: 5324
Joined: Wed Aug 22, 2018 4:39 pm
Location: saint paul

Re: How to configure check_ddos.py plugin

Post by benjaminsmith »

Hello,

I did some quick research and it looks like the BIG-IP Series is an embedded Linux product. As mentioned, the plugin would have to run on the remote host, it will require nestat and python.

You could also set this check up over SSH instead of using an agent.

Monitoring Hosts Using SSH
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.

Be sure to check out our Knowledgebase for helpful articles and solutions!
jlb4350
Posts: 4
Joined: Fri Oct 25, 2019 11:05 am

Re: How to configure check_ddos.py plugin

Post by jlb4350 »

Ok thank you for your help and time. I might have to research a plugin (if one exists) on measuring SYN attacks on our cisco asa, that's ultimately what we are trying to achieve. Thank you again!
benjaminsmith
Posts: 5324
Joined: Wed Aug 22, 2018 4:39 pm
Location: saint paul

Re: How to configure check_ddos.py plugin

Post by benjaminsmith »

Hello,

No problem. Did you have any other questions or may we close this thread?
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.

Be sure to check out our Knowledgebase for helpful articles and solutions!
jlb4350
Posts: 4
Joined: Fri Oct 25, 2019 11:05 am

Re: How to configure check_ddos.py plugin

Post by jlb4350 »

benjaminsmith wrote:Hello,

No problem. Did you have any other questions or may we close this thread?
No more questions. Thank you to all who participated. I'll continue searching for a resolution.
benjaminsmith
Posts: 5324
Joined: Wed Aug 22, 2018 4:39 pm
Location: saint paul

Re: How to configure check_ddos.py plugin

Post by benjaminsmith »

No more questions. Thank you to all who participated. I'll continue searching for a resolution.
Sounds good. Closing.

Thank you for using the Nagios Support Forum.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.

Be sure to check out our Knowledgebase for helpful articles and solutions!
Locked