DNS domain expiration checker

I just released version 1.0 of domain-check to my website. domain-check queries WHOIS data and prints domain expiration dates, and works very similar to ssl-cert-check. Since seeing is believing, I will provide several examples to show just what domain-check can do.

The first example shows how domain-check can be used to print the expiration date for the domain prefetch.net:

$ domain-check -d prefetch.net

Domain                              Registrar         Status   Expires     Days Left
----------------------------------- ----------------- -------- ----------- ---------
prefetch.net                         INTERCOSMOS MEDIA Valid    13-feb-2006   64   

The next example show how domain-check can be used to print the expiration date for the domains listed in the file “domains”:

$ domain-check -f domains

Domain                              Registrar         Status   Expires     Days Left
----------------------------------- ----------------- -------- ----------- ---------
sun.com                             NETWORK SOLUTIONS Valid    20-mar-2010   1560 
google.com                          EMARKMONITOR INC. Valid    14-sep-2011   2103 
prefetch.net                         INTERCOSMOS MEDIA Valid    13-feb-2006   64   
spotch.com                          GANDI             Valid    03-dec-2006   357  

And the final example shows how domain-check can be used to e-mail admin@prefetch.net if a domain listed in the file “domains” will expire in 60-days or less:

$ domain-check -a -f domains -q -x 60 -e admin@prefetch.net

Send me an E-mail if you have comments or suggestions.

Testing SSL services

If you manage web applications and servers, you may have encountered a poorly written application or a web server that periodically hangs for no reason. These issues usually pop up out of the blue, and most people rely on their user community to notifiy them when problems are detected. To ensure timely notifications when these problems occur, I developed ssl-service-check. ssl-service-check is written in Bourne shell, and uses the OpenSSL toolkit to connect to a service and issue a “GET /.” If the service fails to respond, ssl-cervice-check will log an error to syslog and send an e-mail to the address defined in the global ADMINS variable. To test if the prefetch.net web server is handling requests on TCP port 444, we can execute ssl-service-check with the “-s” (server to connect to) and “-p” (port number to connect to) options:

$ ssl-service-check.sh -s mail.prefetch.net -p 444

$ tail -1 /var/adm/messages
Nov 3 18:23:28 tigger matty: [ID 702911 daemon.notice] Failed to connect to mail.prefetch.net on Port 444

ssl-service-check was written to work with cron, and can easily be integrated with a network monitoring solution.

Printing the certificate issuer with ssl-cert-check

I modified ssl-cert-check this weekend to print the certificate issuer along with the certificate expiration date:

$ ssl-cert-check -s mail.prefetch.net -p 443 -i

Host                                Issuer            Status   Expires     Days Left
----------------------------------- ----------------- -------- ----------- ---------
mail.prefetch.net:443                Equifax Secure In Valid    Jun 20 2006 247  

Hopefully this will make renewals easier for folks using ssl-cert-check.

Testing for expired certificates

I made some major enhancements to ssl-cert-check, and released a new version to the daemons.net web server. The new version no longer requires GNU date, which should make it a bit more portable. If you have never used ssl-cert-check before, you can start by reviewing the available options with the “-h” (help) option:

$ ssl-cert-check -h

Usage: ssl-cert-check {[ -c certificate file ]} || {[ -b ] && [ -f cert_file ]} || {[ -s common_name ] && [ -p port]}}
           [ -e email ] [ -x expir_days ] [ -q ] [ -a ] [ -h ]
  -a               : Send a warning message through email 
  -b               : Print the expiration date for all certificates in cert_file (batch mode)
  -c cert file     : Print the expiration date for a PEM formatted certificate passed as an option
  -e email address : Email address to send expiration notices
  -f cert file     : File with a list of common names and ports (eg., blatch.com 443)
  -h               : Print this screen
  -p port          : Port to connect to (interactive mode)
  -s commmon name  : Server to connect to (interactive mode)
  -q               : Don't print anything on the console
  -x days          : Certificate expiration interval (eg. if cert_date < days)

If you wish to view the expiration date for a PEM encoded X.509 certificate, ssl-cert-check can be invoked with the "-c" (certificate file to process) option and a certificate file to process:

$ ssl-cert-check -c /etc/ca/cacert.pem

Host                           Status                    Expires              Days Left
FILE:/etc/ca/cacert.pem        Valid                     Jan 2 2008           815  

To check when an SSL-enabled server's certificate will expire, ssl-cert-check can be executed with the "-s" (server name) and "-p" (TCP port to use) options:

$ ssl-cert-check -s mail.daemons.net -p 443

Host                           Status                    Expires              Days Left
mail.daemons.net:443           Valid                     Jun 20 2006          254  

If you manage dozens of SSL-enabled servers, you can place the server names and port numbers in a file, and run ssl-cert-check against that file:

$ cat ssldomains

www.daemons.com 443
mail.daemons.net 443
gmail.google.com 443
www.sun.com 443
www.spotch.com 443

$ ssl-cert-check -b -f ssldomains

Host                           Status                    Expires              Days Left
www.daemons.com:443            Valid                     May 23 2006          226  
mail.daemons.net:443           Valid                     Jun 20 2006          254  
gmail.google.com:443           Valid                     Jun 7 2006           241  
www.sun.com:443                Valid                     May 11 2009          1310 
www.spotch.com:443             Connection refused        ?                    ?    

ssl-cert-check can also be used to provide automated alerts when certificates are about to expire. The following example uses ssl-cert-check's "-q" (quiet -- don't write anything to the terminal), "-a" (automated alerts) and "-e" (e-mail address to send alert to) options to send an e-mail to admin@daemons.net if a certificate will expire in the next 60-days:

$ ssl-cert-check -a -f ssldomains -x 60 -b -q -e admin@daemons.net

The automated alert option can also be used with the batch processing mode, and will trigger one automated notification per problematic certificate. Send me an e-mail if you run into any issues.

New version of ldap-stats.pl (version 3.0)

I had been meaning to update ldap-stats.pl for quite some time, and finally got the updates completed this afternoon. The new version contains usage breakdowns by hour of day, day of month, and months in the year:

$ ldap-stats.pl /var/log/openldap openldap*


Report Generated on Sun Sep 25 16:30:36 2005
--------------------------------------------
Processed "/var/log/openldap":  Sep 18 00:29:35 - Sep 23 23:13:51
Processed "openldap1":  Dec 26 19:20:50 - Dec 29 12:22:00
Processed "openldap2":  Dec 26 19:20:50 - Dec 31 12:51:02
Processed "openldap3":  Dec 26 19:20:50 - Dec 29 12:22:00


Operation totals
------------------
Total operations              : 116424
Total connections             : 22176
Total authentication failures : 0
Total binds                   : 15708
Total unbinds                 : 15708
Total searches                : 85008
Total compares                : 0
Total modifications           : 0
Total modrdns                 : 0
Total additions               : 0
Total deletions               : 0
Unindexed attribute requests  : 0
Operations per connection     : 5.25



Hostname       Connections  Failures   Binds  Unbinds  Searches  Adds  Mods  ModRDNs  Dels
-------------  -----------  --------  ------  -------  --------  ----  ----  -------  ----
192.168.1.3          19404         0   12936    12936     82236     0     0        0     0
192.168.1.8           2772         0    2772     2772      2772     0     0        0     0



 Hour of Day   Connections  Failures  Binds   Unbinds  Searches  Adds  Mods  ModRDNs  Dels
-------------  -----------  --------  ------  -------  --------  ----  ----  -------  ----
01:00 - 01:59         3696         0    3696     3696      3696     0     0        0     0
02:00 - 02:59         3696         0    3696     3696      3696     0     0        0     0
12:00 - 12:59          924         0     924      924       924     0     0        0     0
13:00 - 13:59         3696         0    3696     3696      3696     0     0        0     0
15:00 - 15:59         1848         0    1848     1848      1848     0     0        0     0
17:00 - 17:59         3696         0       0        0     55440     0     0        0     0
18:00 - 18:59          924         0       0        0     13860     0     0        0     0
21:00 - 21:59          924         0     924      924       924     0     0        0     0
23:00 - 23:59         2772         0     924      924       924     0     0        0     0


Day of Month   Connections  Failures   Binds  Unbinds  Searches  Adds  Mods  ModRDNs  Dels
-------------  -----------  --------  ------  -------  --------  ----  ----  -------  ----
  18                  8316         0     924     3696     72996     0     0        0     0
  19                   924         0       0      924       924     0     0        0     0
  21                  6468         0       0     6468      6468     0     0        0     0
  22                  3696         0    3696     3696      3696     0     0        0     0
  23                  2772         0     924      924       924     0     0        0     0


Month    Connections  Failures   Binds  Unbinds  Searches  Adds  Mods  ModRDNs  Dels
-------  -----------  --------  ------  -------  --------  ----  ----  -------  ----
  Sep          22176         0   15708    15708     85008     0     0        0     0


Unindexed attribute    References to attribute
-------------------    -----------------------
sn                             46        
givenName                      46        


# Searches    Search base referenced by # searches
----------    -----------------------------------------------------------
  15708       ou=contacts,dc=synack,dc=com                                 
  9240        cn=operations,cn=monitor                                    
  4620        cn=add,cn=operations,cn=monitor                             
  4620        cn=read,cn=waiters,cn=monitor                               
  4620        cn=search,cn=operations,cn=monitor                          
  4620        cn=compare,cn=operations,cn=monitor                         
  4620        cn=modify,cn=operations,cn=monitor                          
  4620        cn=bind,cn=operations,cn=monitor                            
  4620        cn=delete,cn=operations,cn=monitor                          
  4620        cn=write,cn=waiters,cn=monitor                              
  4620        cn=total,cn=connections,cn=monitor                          
  4620        cn=entries,cn=statistics,cn=monitor                         
  4620        cn=referrals,cn=statistics,cn=monitor                       
  4620        cn=bytes,cn=statistics,cn=monitor                           
  4620        cn=unbind,cn=operations,cn=monitor                          


# Binds    Bind DN
-------    --------------------------------------------------------------
  10164    anonymous                                                   
  5544     cn=email,dc=synack,dc=com               

The time breakdowns can be useful for finding bootleg cron jobs, and attempts to illegally access the directory server. Let me know if you find any problems!