[GTALUG] fail2ban problem
Michael Galea
michael at galeahome.ca
Wed Aug 29 20:40:16 EDT 2018
I am experiencing what I believe is a DNS amplification attack on my
bind9 DNS server.
I'm seeing very of the following on different IPs
20:11:53.977254 IP 108.234.250.76.62926 > 69.265.222.253.53: 50679+
[1au] ANY? USADF.GOV. (38)
My server responds
20:11:53.977776 IP 69.265.222.253.53 > 108.234.250.76.62926: 50679
Refused- 0/0/1 (38)
I imagine the IPs are spoofed.
I have installed fail2ban in order to address the problem. Various
howtos detail how to configure bind to log to
/var/log/named/security.log and setup fail2ban.
The security.log is filling nicely with lots of "29-Aug-2018
20:23:07.798 client @0x7fa1d013b990 66.69.234.170#29024 (USADF.GOV):
query (cache) 'USADF.GOV/ANY/IN' denied" and fail2ban is indicating
"Jail 'named-refused' started" but it never actually bans an IP.
2) I used fail2ban-regex to test the security.log line against fail2bans
named-refused regex, but its doesn't match! So I have to conclude either
debian bind9 changed the log output or fail2ban git it wrong.
I'm using the latest fail2ban from debian. Has anyone else got this to
work?
--
Michael Galea
More information about the talk
mailing list