[GTALUG] fail2ban problem
ac
ac at main.me
Wed Aug 29 23:29:15 EDT 2018
Hi,
normally, i would not respond to a post like yours :)
when people ask your dns server a question, they are not logging into
your system. - so fail2ban is not the correct tool
the correct answer is any of the below:
you need to write a program or a script
for example on a small single system - one that checks your logs and
then adds an iptables rule to your firewall - larger
systems/clusters simply customize bind or maybe rate limit
connections (check your named.conf - rate limit) and/or a
combination of these things - there are also many other ways to stop
this (for example forward write to your routers (if you have
routers) etc.
hth
Andre
On Wed, 29 Aug 2018 20:40:16 -0400
Michael Galea via talk <talk at gtalug.org> wrote:
> I am experiencing what I believe is a DNS amplification attack on my
> bind9 DNS server.
>
> I'm seeing very of the following on different IPs
> 20:11:53.977254 IP 108.234.250.76.62926 > 69.265.222.253.53: 50679+
> [1au] ANY? USADF.GOV. (38)
>
> My server responds
> 20:11:53.977776 IP 69.265.222.253.53 > 108.234.250.76.62926: 50679
> Refused- 0/0/1 (38)
>
> I imagine the IPs are spoofed.
> I have installed fail2ban in order to address the problem. Various
> howtos detail how to configure bind to log to
> /var/log/named/security.log and setup fail2ban.
>
> The security.log is filling nicely with lots of "29-Aug-2018
> 20:23:07.798 client @0x7fa1d013b990 66.69.234.170#29024 (USADF.GOV):
> query (cache) 'USADF.GOV/ANY/IN' denied" and fail2ban is indicating
> "Jail 'named-refused' started" but it never actually bans an IP.
>
> 2) I used fail2ban-regex to test the security.log line against
> fail2bans named-refused regex, but its doesn't match! So I have to
> conclude either debian bind9 changed the log output or fail2ban git
> it wrong.
>
> I'm using the latest fail2ban from debian. Has anyone else got this
> to work?
>
More information about the talk
mailing list