I have written a few custom plug-ins for the Nagios server monitoring/alerting system. These are all written in Perl.

Plugin Purpose OS
check_conn Checks the number of active connections on any given port. GNU/Linux and BSD
check_quota Checks if any of the system users has exceeded disk quota. WARNING status when soft quota limit has been reached, and CRITICAL status when the hard quota limit has been reached. It will also report the total number of blocks used by all users. BSD

This sensor will check if FTP accounts have been accessed from too many different countries, which could indicate compromised/hacked FTP credentials.

It accomplishes this by checking the output of the `last` command and looking up the listed ip addresses using the geoiplookup tool (which you obviously need to have installed.)

If you can't grab geoip from the package management of your OS/distro, the geoiplookup tool is included with the GeoIP api which can be obtained here

After an account has been checked you can reset everything back to 'ok' by flushing /var/log/wtmp.

The sensor should be compatible with both GNU/Linux and BSD.

Sso far it has only been tested on GNU/Linux.

With possible minor adjustment it should be compatible on any OS with `last`.

All these scripts are licensed under the GNU GPL license.