Skip to content

Template: Are your servers blacklisted?

Spam - BlacklistedMost companies have a wide variety of services running, usually with public and private facing interfaces. If you are providing services like SMTP, DNS or similar to your customers, those services might be misused and you could end up getting your servers IP addresses blacklisted on various Domain Name System Blackhole Lists (DNSBL). This could hurt your reputation as a service provider and will certainly result in a bad experience for your customers.

Checking regularly if your hosts are blacklisted is key, but what if you have hundreds or thousands of servers? You make Zabbix do it for you!

Requirements

  • CentOS/RHEL
    • # yum install bind-utils
  • Debian/Ubuntu
    • # apt-get install dnsutils

How it works

This template utilizes External Checks. The script “check_dnsbl.sh” is run with parameters for the hostname of the server you wish to check and which DNSBL you wish to check against. It simply returns “0” if the server is not listed and “1” if it is.

The template has 5 pre-made items and corresponding triggers. The items should be pretty self-explanatory. Example: check_dnsbl.sh[{HOST.DNS},zen.spamhaus.org]

You can change the existing DNSBL servers in the template or add your own, although the ones already added should cover most users quite well.

“{HOST.DNS}” is a macro that uses the DNS name you have specified for your hosts on their interfaces. The script requires the use of DNS names for it to function, however the script and template can be modified to use IP addresses instead. I wouldn’t recommended this though, since not using hostnames is bad practice anyway.

The default DNSBL’s used are:

  • b.barracudacentral.org – A free DNSBL of IP addresses known to send spam
  • bl.spamcop.net – The SCBL is a fast and automatic list of sites sending reported mail, fueled by a number of sources, including automated reports and SpamCop user submissions.
  • cbl.abuseat.org – The CBL only lists IPs exhibiting characteristics which are specific to open proxies of various sorts (HTTP, socks, AnalogX, wingate, Bagle call-back proxies etc) and dedicated Spam BOTs (such as Cutwail, Rustock, Lethic, Kelihos etc) which have been abused to send spam, worms/viruses that do their own direct mail transmission, or some types of trojan-horse or “stealth” spamware, dictionary mail harvesters etc.
  • dnsbl.sorbs.net – The SORBS (Spam and Open Relay Blocking System) provides free access to its DNS-based Block List (DNSBL) to effectively block email from more than 12 million host servers known to disseminate spam, phishing attacks and other forms of malicious email.
  • zen.spamhaus.org – ZEN is the combination of all Spamhaus IP-based DNSBL’s into one single powerful and comprehensive blocklist to make querying faster and simpler. It contains the SBL, SBLCSS, XBL and PBL blocklists.

You can find additional ones at: www.dnsbl.info

DNSBL queries

As an example, when a mail server receives a connection from a client, and wishes to check that client against a DNSBL (let’s say, dnsbl.example.net), it does more or less the following:

  1. Take the client’s IP address—say, 192.168.42.23—and reverse the order of octets, yielding 23.42.168.192.
  2. Append the DNSBL’s domain name: 23.42.168.192.dnsbl.example.net.
  3. Look up this name in the DNS as a domain name (“A” record). This will return either an address, indicating that the client is listed; or an “NXDOMAIN” (“No such domain”) code, indicating that the client is not.
  4. Optionally, if the client is listed, look up the name as a text record (“TXT” record). Most DNSBL’s publish information about why a client is listed as TXT records.

Looking up an address in a DNSBL is similar to looking it up in reverse-DNS. The differences are that a DNSBL lookup uses the “A” rather than “PTR” record type, and uses a forward domain (such as dnsbl.example.net above) rather than the special reverse domain in-addr.arpa.

How could my servers end up in the database of a DNSBL?

You can end up becoming blacklisted in any number of ways. Spam being sent from an improperly secured SMTP server. Misconfigured proxy services that are open to relaying. Compromised systems that are used in botnet networks. Hostile users on your company network. Unfortunately, the list goes on and on.

Disclaimer

Verifying if your servers are indeed blacklisted doesn’t just require you to initiate a DNS question towards any DNSBL. It requires you to use a reputable one. Otherwise you might end up with false-positives or outdated answers. Always research your DNSBL provider and read through their documentation to find out exactly how they populate and update their database.

Instructions – Are your servers Blacklisted?

  1. First, head over to Zabbix Share to fetch the template and script.
  2. Copy “check_dnsbl.sh” to your Zabbix Servers and Proxies and place it in “/usr/local/share/zabbix/externalscripts” *
    1. * Check your server and proxy configuration file for the correct folder, look for the tag “ExternalScripts”
  3. Make the script executable: chmod +x /usr/local/share/zabbix/externalscripts/check_dnsbl.sh
  4. Create the following value map (Administration -> General -> Value mapping: Create value map)
    1. Name: IP Blacklist
      0 -> Not listed
      1 -> Listed
  5. Import the template and assign it to your host(s).

If you run into trouble executing the script, here’s an excerpt from the Zabbix Wiki:

Zabbix server will look in the directory defined as the location for external scripts (parameter ‘ExternalScripts’ in Zabbix server configuration file) and execute the command. The command will be executed as the user Zabbix server runs as, so any access permissions or environment variables should be handled in a wrapper script, if necessary, and permissions on the command should allow that user to execute it. Only commands in the specified directory are available for execution.

 

Script: check_dnsbl.sh

#!/bin/bash

if [[ $# -ne 2 ]]; then
    echo "Usage: ./${0##*/} <hostname> <blacklist service>"
    exit 1
fi

# Retrieves A record for hostname ($1)
HOSTLOOKUP=`host -t a $1`

# IP address validity check
if [[ ! ${HOSTLOOKUP##*[[:space:]]} =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
    echo "Could not resolve a valid IP for $1"
    exit 1
fi

# Converts resolved IP into reverse IP
REVIP=`sed -r 's/([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)/\4.\3.\2.\1/' <<< ${HOSTLOOKUP##*[[:space:]]}`

# Performs the actual lookup against blacklists
if host -W 2 -t a $REVIP.$2 >/dev/null 2>&1; then
    ((listed++))
    echo $listed
else
    echo "0"
fi

exit 0

One Comment

  1. rasa rasa

    Hi!

    Running zabbix 3.2. on ubuntu 16.04

    Script in /usr/lib/zabbix/externalscripts
    chmod +x against script file

    Imported template and assigned to hosts.

    But [no data] received from default blacklist servers.

    Any suggestions?

    Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.