Eat your own food. What a wise phrase. If you create or produce anything, you should be capable to use it/eat it as part of your daily rutine. This way, you could realize if it’s really good and how it works (if so). This can be applied to all kind of professions, but it specially important when talking about software world.

We produce Pandora FMS, a monitoring software known for its flexibility and quickness. Today at the office, and for the second time, our mail server, that is placed in Dreamhost, has been locked. Dreamhost is one of the biggest hostings on earth, wellknown for having authentic experts in their teams, not trainee students or something similar. This brand gives you a full shell in a shared hosting and they think you can’t break a thing… Are they crazy or what?

Talking to the Support Department, we are told that they’ve locked our IP for hammering against the IMAP server (when you hammer on a remote server with a lot of petitions by second). If they don’t protect their servers in an automatic way, anyone can make a DoS (Denial Of Service alias) easily.

As we know a little about monitoring and we’ve eaten our own dog food so many times, we have spent a bit more than a minute to find out the problem using Netflow [1] and Pandora FMS.

With a PCAP filter [2] applied to the realtime Netflow interface of Pandora FMS, we have extract the internal IP’s that use POP and IMAP ports, we’ve ordered the 30 IP’s with more traffic, and voilà:

Captura de pantalla 2015-09-03 a la(s) 16.05.49

We can see in yellow the IP which is hammering the Dreamhost server at a constant rate of 13kb/sec.

We are willing to tell this “subject”, who uses Mutt and Offlinemap, to update his self and pass to a mail client younger than him. ;)

Captura de pantalla 2015-09-03 a la(s) 16.06.04

To finish this post we have to say that Netflow is a 100% Opensource feature of Pandora FMS.

[1] Netflow is a network analysis protocol to get statistical information about the internal network usage. It’s based on sending data from the routers to a netflow manager.

[2] A PCAP expression  is a logic expression to filter the network. It’s normally used on traffic Sniffers at low level, such as tcpdump o whireshark.

This is an adaaptation from the original post from Openfriki.

Do you want to stay updated?

Pandora FMS newsletter, will keep you informed about new releases, plugins, features and integrations. We won't ever give your email to anybody else.

You're now subscribed to Pandora FMS. Thanks!


Download the most comprehensive report on secure monitoring from IDG research