Fail2Ban rule for MyDNS

Discussion in 'Installation/Configuration' started by concept21, Sep 18, 2012.

  1. concept21

    concept21 Active Member

    Anybody has Fail2Ban rule for MyDNS? :rolleyes:

    I installed MyDNS as suggested by ISPConfig3 official user manual. I paid 5 Euro for it. :rolleyes:
     
    concept21, Sep 18, 2012
    #1
  2. falko

    falko Super Moderator Howtoforge Staff

    Why do you want a fail2ban rule for a DNS server? :confused:

    There are no logins...
     
    falko, Sep 19, 2012
    #2
  3. concept21

    concept21 Active Member

    Hi falko,

    But I see a fail2ban filter for named inside its filter directory. :confused:
     
    concept21, Sep 19, 2012
    #3
  4. falko

    falko Super Moderator Howtoforge Staff

    Can you post its contents so that I can see what logins fail2ban is trying to track?

    BTW, if you have a filter file, you already have the fail2ban rule in it.
     
    falko, Sep 20, 2012
    #4
  5. concept21

    concept21 Active Member

    named-refused.conf


    # Fail2Ban configuration file for named (bind9). Trying to generalize the
    # structure which is general to capture general patterns in log
    # lines to cover different configurations/distributions
    #
    # Author: Yaroslav Halchenko
    #
    # $Revision: 730 $
    #

    [Definition]

    #
    # Daemon name
    _daemon=named

    #
    # Shortcuts for easier comprehension of the failregex
    __pid_re=(?:\[\d+\])
    __daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
    __daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
    # hostname daemon_id spaces
    # this can be optional (for instance if we match named native log files)
    __line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?

    # Option: failregex
    # Notes.: regex to match the password failures messages in the logfile.
    # Values: TEXT
    #
    failregex = %(__line_prefix)sclient <HOST>#.+: query(?: \(cache\))? '.*' denied\s*$

    # Option: ignoreregex
    # Notes.: regex to ignore. If this regex matches, the line is ignored.
    # Values: TEXT
    #
    ignoreregex =
     
    concept21, Sep 20, 2012
    #5
  6. concept21

    concept21 Active Member

    jail.local



    # DNS Servers

    # These jails block attacks against named (bind9). By default, logging is off
    # with bind9 installation. You will need something like this:
    #
    # logging {
    # channel security_file {
    # file "/var/log/named/security.log" versions 3 size 30m;
    # severity dynamic;
    # print-time yes;
    # };
    # category security {
    # security_file;
    # };
    # };
    #
    # in your named.conf to provide proper logging

    # Word of Caution:
    # Given filter can lead to DoS attack against your DNS server
    # since there is no way to assure that UDP packets come from the
    # real source IP
    [named-refused-udp]

    enabled = false
    port = domain,953
    protocol = udp
    filter = named-refused
    logpath = /var/log/named/security.log

    [named-refused-tcp]

    enabled = false
    port = domain,953
    protocol = tcp
    filter = named-refused
    logpath = /var/log/named/security.log
     
    concept21, Sep 20, 2012
    #6

Share This Page