decoupled accounting cron check

Alexander Clouter alex at digriz.org.uk
Sun Mar 6 20:37:01 CET 2011 

Hi,

For those out there using decoupled accounting, especially in an 
'eduroam' environment, might find the following helpful.

I receive a lot of random rubbish from the various NAS's deployed 
internationally send to my FreeRADIUS installation.  Such moments of fun 
are accounting stop packets with a zero session length 
(CISCO_ACCOUNTING_HACK) resulting in a DoS when received in the 
decoupled accounting case...plus the other usual hings that trigger 
corner cases my custom (bad?) SQL statements do not catch when logging 
this information to our database.

The unfortunate outcome means after a bad accounting packet, the 
mountpoint I use for recording my journal fills up until FreeRADIUS 
hangs with no warning (meanwhile FreeRADIUS works fine so it is not 
something trivially monitored by NAGIOS or such).

The solution I slapped together is a quick minutely run script by cron 
that notifies me by email when a problem occurs.

My preference is to place my detail journal files on a separate tmpfs 
mountpoint (as I use low powered ARM boxes, OpenRD's if you are curious, 
that only have a NAND):
----
tmpfs /var/log/freeradius/radacct/journal tmpfs nosuid,nodev,noexec,size=32M,mode=700,uid=freerad,gid=freerad 0  0
----

Then the following script is used.
----
#!/bin/sh

MOUNT=/var/log/freeradius/radacct/journal
TRIGGER=1024
RCPT="jill at example.com bob at example.com"
MESSAGE="FreeRADIUS is on the road to implosion...yer might want to look into it.

Cheers"

SELF=$(basename $0)

if [ -e "/var/lock/$SELF" ]; then
	if [ $(df "$MOUNT" | tail -n1 | awk '{ print $3 }') -lt $(($TRIGGER/2)) ]; then
		rm "/var/lock/$SELF"
	else
		exit 1
	fi
fi

[ $(df "$MOUNT" | tail -n1 | awk '{ print $3 }') -lt $TRIGGER ] && exit 0

DATE=$(date -R)
TO=$(echo $RCPT | sed 's/ /, /g')

cat <<EOF | /usr/sbin/sendmail -i $RCPT
To: $TO
Date: $DATE
Subject: $MOUNT exceeds ${TRIGGER}kB

$MESSAGE
EOF

[ $? -eq 0 ] && touch "/var/lock/$SELF"

exit 1
----

That's it.  The above script will email you only a single time when more 
that 1024kB of journal is sitting around waiting to be processed and 
will re-enable notifications once it drops to half the trigger mark 
(512kB).

Cheers

-- 
Alexander Clouter
.sigmonster says: T-shirt:
                  	Life is *not* a Cabaret, and stop calling me chum!

More information about the Freeradius-Users mailing list