Menu
▾
▴
Re: [Fail2ban-users] DNS Log Errors - Solved
|
From: Yaroslav H. <li...@on...> - 2007-07-29 15:44:50
|
And please find filter attached (I've sent it to the list few times
already but list server for some reason didn't forward my emails to the
list).
I want to mention once again that there is a possibility of DoS against
your server, so use this filter/jail with caution:
* Add your local IPs to ignoreip (so your local boxes can't be denied
access)
* Do not enable permanent banning for the jail (bantime = -1) -- just
make it sufficiently long (like an hour: bantime = 3600)
* It is better to ban only DNS specific ports (so do not use iptables-all
or shorewall actions), so that you do not provoke DoS against the
server if it hosts other services
* Enable both udp and tcp jails (some small portion of queries from
outside can come through TCP)
Jail configuration in debian (in stock jail.conf you would need to
specify action explicitely) for named-refused would be:
# DNS Servers
# Mention: by default logging is off with bind installation.
# Need smth like
# logging {
# channel lame-servers_file { file "/var/log/named/lame-servers.log" versions 3 size 30m; severity dynamic; print-time yes; };
# category lame-servers { lame-servers_file; };
# }
# in your named.conf to provide proper logging
[named-refused-udp]
enabled = false
port = domain,953
protocol = udp
filter = named-refused
logpath = /var/log/named/lame-servers.log
[named-refused-tcp]
enabled = false
port = domain,953
protocol = tcp
filter = named-refused
logpath = /var/log/named/lame-servers.lo
On Sat, 28 Jul 2007, Richard Creighton wrote:
> If you run a DNS server on your system you probably have been plagued
> with external sites trying to forward queries through your DNS server.
> Even though you probably have told your named.conf to allow-query
--
.-.
=------------------------------ /v\ ----------------------------=
Keep in touch // \\ (yoh@|www.)onerussian.com
Yaroslav Halchenko /( )\ ICQ#: 60653192
Linux User ^^-^^ [175555]
|