Revision: 762
http://fail2ban.svn.sourceforge.net/fail2ban/?rev=762&view=rev
Author: yarikoptic
Date: 2010-06-29 01:38:05 +0000 (Tue, 29 Jun 2010)
Log Message:
-----------
disabling entirely named-refused-udp jail with a big fat warning
Modified Paths:
--------------
trunk/config/jail.conf
Modified: trunk/config/jail.conf
===================================================================
--- trunk/config/jail.conf 2010-06-29 01:34:08 UTC (rev 761)
+++ trunk/config/jail.conf 2010-06-29 01:38:05 UTC (rev 762)
@@ -212,15 +212,23 @@
# in your named.conf to provide proper logging.
# This jail blocks UDP traffic for DNS requests.
-[named-refused-udp]
+# !!! WARNING !!!
+# Since UDP is connectionless protocol, spoofing of IP and immitation
+# of illegal actions is way too simple. Thus enabling of this filter
+# might provide an easy way for implementing a DoS against a chosen
+# victim. See
+# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
+# Please DO NOT USE this jail unless you know what you are doing.
+#
+# [named-refused-udp]
+#
+# enabled = false
+# filter = named-refused
+# action = iptables-multiport[name=Named, port="domain,953", protocol=udp]
+# sendmail-whois[name=Named, dest=you@...]
+# logpath = /var/log/named/security.log
+# ignoreip = 168.192.0.1
-enabled = false
-filter = named-refused
-action = iptables-multiport[name=Named, port="domain,953", protocol=udp]
- sendmail-whois[name=Named, dest=you@...]
-logpath = /var/log/named/security.log
-ignoreip = 168.192.0.1
-
# This jail blocks TCP traffic for DNS requests.
[named-refused-tcp]
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|