Blocking DNS DDoS with fail2ban
Are you tired of the heaps of messages from logcheck about denial in serving requests to named? Below it will be written how to limit yourself from DDoS to named using the fail2ban package.
Events in question look like this:
However, it should be noted that in most cases the source ip-address can be falsified. Each node in a botnet can send one or more packets per second to a DNS server. The server, in turn, responds with an error message in the request for a falsified address, causing a denial of service at the source.
Tired of your DNS server being used as a weapon in other DDoS attacks? Try installing yourself a fail2ban package (Debian GNU / Linux). The original project site www.fail2ban.org .
First install the fail2ban package. By default, only attacks on the ssh service will be monitored and blocked. This is a good idea. Other services can be monitored in the fail2ban package; moreover, you can write handlers and filters for it yourself, but discussing these issues is beyond the scope of this article.
After the package is installed, check the contents of the /etc/fail2ban/jail.conf file.
At the end of the file, we find the description that needs to be made in the settings of the named server so that fail2ban can normally handle events for the DNS service.
')
First, create a directory in which the log of the DNS server will be saved:
After that, edit /etc/bind/named.conf.local (You may have it elsewhere. The specified name is relevant for the bind9 package in Debian) by adding the following lines:
Restart Bind:
Make sure that the /var/log/named/security.log is being created and populated:
Ok, now we’ll make changes to the fail2ban setup. Open /etc/fail2ban/jail.conf for editing and make the following changes:
replace with
and:
on
Restart fail2ban:
Make sure that fail2ban creates its /var/log/fail2ban.log, it will contain something like:
We are also convinced that fail2ban made the appropriate changes in iptables:
Now you can check how timely and timely fail2ban restricts access:
DNS error messages will now be located a few minutes apart, not in seconds.
Now about some improvements file.
Let's tell the logcheck service to look at a new place for finding error messages. Edit the /etc/logcheck/logcheck.logfiles file by adding the following line to the end of the file:
We are convinced that we now receive messages from fail2ban by e-mail.
A good idea would be to explore the options in the [DEFAULT] section of the fail2ban service in the /etc/fail2ban/jail.conf file. You may also want to enable control of other services besides named. Maybe it makes sense to make changes to the rules for ignoring networks from RFC1918 (we look in the direction of the ignoreip option).
You can also think about changing bantime = 600 for a longer period.
You can try to write your own filters for fail2ban if you have enough magic to write regular expressions;)
In short, dare and explore :)
ps: Yes, also, this is just a free translation of " Blocking a DNS DDOS using the fail2ban package " with some additions from practice;)
Events in question look like this:
System events = - = - = - = - = - = - = Jan 21 06:02:13 www named [32410]: client 66.230.128.15 # 15333: query (cache) + '. / NS / IN' denied
However, it should be noted that in most cases the source ip-address can be falsified. Each node in a botnet can send one or more packets per second to a DNS server. The server, in turn, responds with an error message in the request for a falsified address, causing a denial of service at the source.
Tired of your DNS server being used as a weapon in other DDoS attacks? Try installing yourself a fail2ban package (Debian GNU / Linux). The original project site www.fail2ban.org .
First install the fail2ban package. By default, only attacks on the ssh service will be monitored and blocked. This is a good idea. Other services can be monitored in the fail2ban package; moreover, you can write handlers and filters for it yourself, but discussing these issues is beyond the scope of this article.
aptitude install fail2ban
After the package is installed, check the contents of the /etc/fail2ban/jail.conf file.
At the end of the file, we find the description that needs to be made in the settings of the named server so that fail2ban can normally handle events for the DNS service.
')
First, create a directory in which the log of the DNS server will be saved:
mkdir / var / log / named chown bind.bind / var / log / named chmod 750 / var / log / named
After that, edit /etc/bind/named.conf.local (You may have it elsewhere. The specified name is relevant for the bind9 package in Debian) by adding the following lines:
logging {
channel security_file {
file "/var/log/named/security.log" versions 3 size 30m;
severity dynamic;
print-time yes;
};
category security {
security_file;
};
}; Restart Bind:
/etc/init.d/bind9 restart
Make sure that the /var/log/named/security.log is being created and populated:
21-Jan-2010 07: 19: 54.835 client 66.230.160.1 # 28310: query (cache) './NS/IN' denied
Ok, now we’ll make changes to the fail2ban setup. Open /etc/fail2ban/jail.conf for editing and make the following changes:
[named-refused-udp] enabled = false
replace with
[named-refused-udp] enabled = true
and:
[named-refused-tcp] enabled = false
on
[named-refused-tcp] enabled = true
Restart fail2ban:
/etc/init.d/fail2ban restart
Make sure that fail2ban creates its /var/log/fail2ban.log, it will contain something like:
2010-01-21 07: 34: 32,800 fail2ban.actions: WARNING [named-refused-udp] Ban 76.9.16.171 2010-01-21 07: 34: 32,902 fail2ban.actions: WARNING [named-refused-tcp] Ban 76.9.16.171
We are also convinced that fail2ban made the appropriate changes in iptables:
$ sudo iptables-save | grep fail2ban
Now you can check how timely and timely fail2ban restricts access:
tail -f /var/log/named/security.log
DNS error messages will now be located a few minutes apart, not in seconds.
Now about some improvements file.
Let's tell the logcheck service to look at a new place for finding error messages. Edit the /etc/logcheck/logcheck.logfiles file by adding the following line to the end of the file:
/var/log/named/security.log
We are convinced that we now receive messages from fail2ban by e-mail.
A good idea would be to explore the options in the [DEFAULT] section of the fail2ban service in the /etc/fail2ban/jail.conf file. You may also want to enable control of other services besides named. Maybe it makes sense to make changes to the rules for ignoring networks from RFC1918 (we look in the direction of the ignoreip option).
You can also think about changing bantime = 600 for a longer period.
You can try to write your own filters for fail2ban if you have enough magic to write regular expressions;)
In short, dare and explore :)
ps: Yes, also, this is just a free translation of " Blocking a DNS DDOS using the fail2ban package " with some additions from practice;)
Source: https://habr.com/ru/post/83202/
All Articles