From: Vik K. <vip...@gm...> - 2014-04-02 15:13:38
|
Sorry, I thought i was replying to list.... I just signed up for github, i think i did it correctly... https://github.com/fail2ban/fail2ban/pull/677 Thanks On Wed, Apr 2, 2014 at 10:54 AM, Tom Hendrikx <to...@wh...> wrote: > > Hi Vik, > > please keep replies on-list... > > Just put it in github, it's easy to clean it up there. I'll take a look > at it when it's there. But a wiki is no coding platform :) > > Tom > > On 04/02/2014 04:48 PM, Vik Killa wrote: > > I think it could stand to be "cleaned up" as I am no expert with regex > > and fail2ban... > > I'd rather post it on wiki and have someone else push it to GIT after > > it's been a bit refined... > > Thanks > > > > > > > > On Wed, Apr 2, 2014 at 10:40 AM, Tom Hendrikx <to...@wh... > > <mailto:to...@wh...>> wrote: > > > > > > Hi, > > > > You should put the jail/config stuff in a github pull request I > think. > > then everybody can actually use it:) > > > > Tom > > > > On 04/02/2014 04:36 PM, Vik Killa wrote: > > > new version of BIND has RRL for rate-limiting. > > > in any case, i've written a jail and configuration for bind9 that > > > protects against DDoS attacks. > > > I'd like to post it on wiki. > > > Can someone help me with setting up an account on the fail2ban > wiki? > > > Thanks > > > > > > > > > > > > On Tue, Jul 24, 2012 at 3:38 AM, Fabian Wenk <fa...@we... > > <mailto:fa...@we...> > > > <mailto:fa...@we... <mailto:fa...@we...>>> wrote: > > > > > > Hello Yaroslav > > > > > > On 24.07.2012 00 <tel:24.07.2012%2000> > > <tel:24.07.2012%2000>:57, Yaroslav Halchenko wrote: > > > > just for the sake of my own education: am I not correct > > that use of > > > > DNSSEC practically implies use of TCP due to large packet > > sizes, thus > > > > actually an additional difficulty of spoofing, thus such an > > attack > > > would > > > > be actually more difficult to accomplish... ? > > > > > > I do not know such details about DNSSEC, but without DNSSEC the > > > DNS server does use TCP, if the answer is to large for one > packet > > > (1500 bytes including IP headers). In this case the server ask > > > the resolver back through UDP to redo the request through TCP. > > > But currently there are to many possible requests through UDP > > > with just a small request, e.g. for ANY, which usually gives in > > > proportion a much larger (but less then 1500 byte) answer. > > > > > > About 3 years ago there was an attack with IN NS requests for > the > > > . (root) zone, which BIND has answered, even when it was not > > > configured for recursion from the outside world. In this case > the > > > request is very small, but the answer is quite large (but still > > > fits into one packet) with all the hostnames and IP addresses > for > > > the root nameserver from a to m. > > > > > > If requests with a faked source IP address would be done from > > > many systems (a bot net) to a lot of non-involved DNS server, > > > then the attacked IP address will get a lot more data traffic > > > with the answers from all this non-involved DNS server. So it > is > > > a good idea to detect such abuse and block it, so your DNS > server > > > will not be part of this attack. > > > > > > It is very sad, that many ISPs do not implement best practice > and > > > only allow outbound traffic with source IP address from their > own > > > and customer IP ranges. If they would do it, such attacks would > > > not be possible, or at least limited to the same ISP. > > > > > > BIND does not have any kind of rate limiting, but probably this > > > is for good, as a lot of things will break when a DNS server > does > > > not answer the requests from legitimate clients. The only thing > > > which safely could be blocked are DNS requests for IN ANY (use > a > > > reasonable maxretry and short findtime), as there is no > technical > > > reason for such requests. As far as I know, this are only > manual > > > request done from humans to debug a domain. Also blocking > request > > > for domains, for which your DNS server is not authoritative, is > > > safe to do. Use it also with a reasonable maxretry and short > > > findtime so that at least a few NX answers can get back. > > > > > > > > > bye > > > Fabian > > > > > > > > > ------------------------------------------------------------------------------ > > > Live Security Virtual Conference > > > Exclusive live event will cover all the ways today's security > and > > > threat landscape has changed and how IT managers can respond. > > > Discussions > > > will include endpoint security, mobile security and the latest > in > > > malware > > > threats. > http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > > _______________________________________________ > > > Fail2ban-users mailing list > > > Fai...@li... > > <mailto:Fai...@li...> > > > <mailto:Fai...@li... > > <mailto:Fai...@li...>> > > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > > > > > > > > > _______________________________________________ > > > Fail2ban-users mailing list > > > Fai...@li... > > <mailto:Fai...@li...> > > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > > Fail2ban-users mailing list > > Fai...@li... > > <mailto:Fai...@li...> > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > > > > > ------------------------------------------------------------------------------ > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > |