|check_conn||Checks the number of active connections on any given port.||GNU/Linux and BSD|
|check_quota||Checks if any of the system users has exceeded disk quota. WARNING status when soft quota limit has been reached, and CRITICAL status when the hard quota limit has been reached. It will also report the total number of blocks used by all users.||BSD|
This sensor will check if FTP accounts have been accessed from too many different countries, which could indicate compromised/hacked FTP credentials.
It accomplishes this by checking the output of the `last` command and looking up the listed ip addresses using the geoiplookup tool (which you obviously need to have installed.)
If you can't grab geoip from the package management of your OS/distro, the geoiplookup tool is included with the GeoIP api which can be obtained here
After an account has been checked you can reset everything back to 'ok' by flushing /var/log/wtmp.
The sensor should be compatible with both GNU/Linux and BSD.
Sso far it has only been tested on GNU/Linux.
With possible minor adjustment it should be compatible on any OS with `last`.