Use fail2ban Bind9 be used to prevent DNS amplification attacks

Foreword

Ali cloud I built for personal use dnsmasq server,DNS is used to make pollution-free,The recent disclosure of the IP,Sure enough, it was attacked - is actually being used DNS amplification attacks。

Since dnsmasq itself is not designed to provide external DNS service,So it is for security profile is not a lot (no!),But it's very easy to configure Resolution Policy (DNS resolution, such as Chinese white list),So I had the basis of,Plus a front-end to do security Bind9。

Then,Today we take a look in the end how to do security configuration Bind9。

Bind9 own security configuration

Bind9 itself supports a number of security policies,We do it well,We have been able to make very robust DNS:

edit
/etc/bind/named.conf.options
,We add a custom policy:

Detailed explanation:

Hide Bind9 version information,Prevent hacker attacks against your Bind9 version loophole。

The message is forwarded to resolve open Bind9,Like dnsmasq as,Let Bind9 able to get up and not resolve on their own to resolve the root,You can avoid polluted (I here to resolve the local dnsmasq)

Only allow forwarding,Disable root parsing,External open simultaneously resolves and caches。

Close the Security Configuration,Because I want to be forwarded up to dnsmasq,The response of the former non-authoritative answer,So let Bind9 accept non-authoritative answer,It is necessary to close。You do not use the words do not have to shut。

When a domain name in the query,You may see a prompt "non-authoritative answer," the,The prompt indicates that you have requested domain name does not use DNS query server that you currently use。

Speed ​​limit for each IP,If the request exceeds per second 25 A,Will no longer respond to direct loss。

effect

Thus,You should be able at
/where/log/syslog
We saw a lot of overrun drop recorded,but,even so,vps still flow away like water,so,We also need to use third-party tools to deal with these IP。

Remember to restart the service
service bind9 restart

Use Fail2ban automatically block hacker IP

Yes, If you've read my VPS then you should buy a spare safety measures this article,Vps that your tool should have installed,It defaults have been able to run well,But give Bind9 use,We will continue to customize some。

Custom Bind9 compatible Fail2ban

Bind9 default and does not generate a separate log,We need to put the error log to record output for Fail2ban,So edit
/etc/bind/named.conf
,Another line from the end of the file insert the following statement:

This is redirected to the default log Bind9
/where/cache/bind/security.log
Size remains 30M

If you use this time
tail -f /where/cache/bind/security.log
View,We will see a lot of records like this:

Obviously,Now, some people reflected in the use of my DNS attack,Next, we have to get rid of these IP configuration Fail2ban。

Let Fail2ban into force on Bind9

In fact Fail2ban native support of Bind9,And even its list has been built - but that strategy and we do not quite match expectations,Have their own change to change。

Edit Filter Configuration

edit
/etc/fail2ban/jail.conf
file,Find Bind9 configuration section in the inside,The default is as follows:

We gave it to change to change,udp and tcp enabled:

The meaning here is that once found 5 times in 1 second record,The corresponding IP will be added to the blacklist,The default time is 3600 seconds。But do not worry,This record is the record drop,Not a normal query records

Modify filtering rules

Next we look at the default rule change,The default rule is to detect the attack - and we are to be detected being used to attack ...... edit
/etc/fail2ban/filter.d/named-refused.conf
file,Find the following lines:

To:

Restart Service

Use the command
service fail2ban restart
To restart the service,This time using the command to view the status of:

You see,Has caught up a。

summary

Anyway,Toss down,We get the following harvest:Bind9 can be restricted to a single IP requests per second (you can then be modified according to the needs),Once an IP server within one second and then the number of requests exceeds the limit,It will be recorded and discarded request,If more than five times over,It will blacklisted denied by the firewall (other display destination unreachable)。

A bit of discussion about UDP

As you can see,In Fail2ban profile which also indicate a very dangerous policy for UDP,Because hackers can easily forge a different address,This may be used to exploit your rules malicious blocking certain IP ,If your server this happen,You'll need to turn off of the policy for the UDP。

Further reading

Iptables-Fail2ban treated bind illegal attacks

Ten minutes to set up DNS forwarding cache server

Blocking a DNS DDOS using the fail2ban package

Original article written by LogStudio:R0uter's Blog » Use fail2ban Bind9 be used to prevent DNS amplification attacks

Reproduced Please keep the source and description link:https://www.logcg.com/archives/1681.html

About the Author

R0uter

The non-declaration,I have written articles are original,Reproduced, please indicate the link on this page and my name。

Comments

  1. Hi, thank you for your publications. May i suggest to publish dnsmasq file configuration since this dns resolver is used into the logic developped by your article ?
    Hope it helps.
    Regards?

    —–
    forwarders {
    127.0.0.1 port 5352;
    };
    The message is forwarded to resolve open Bind9,Like dnsmasq as,Let Bind9 able to get up and not resolve on their own to resolve the root,You can avoid polluted (I here to resolve the local dnsmasq)

  2. Thank you for writing a helpful blog. I followed your configuration and configured my server.
    But failregex = #\S+( \([\S.]+\))?\: rate limit drop does not matches for me. My log file generates logs. Does The # after commenting the line “^\s*\S+\s+named(?:\[\d+\])?: [^:]+: rate limit drop” ? Color also change after #.

    My Fail2ban version is 1.0.2.

    Output of

    fail2ban-regex /var/cache/bind/security.log /etc/fail2ban/filter.d/named-refused.conf

    Running tests
    =============

    Use failregex filter file : named-refused, basedir: /etc/fail2ban
    Use log file : /var/cache/bind/security.log
    Use encoding : UTF-8

    Results
    =======

    Prefregex: 1 total
    | ^\s*(?:\S+ (?:(?:\[\d+\])?:\s+\(?named(?:-\w+)?(?:\(\S+\))?\)?:?|\(?named(?:-\w+)?(?:\(\S+\))?\)?:?(?:\[\d+\])?:)\s+)?(?:(?!error|info)[\w-]+: )?(?:(?:error|info):\s*)?client(?: @\S*)? (?:\[?(?:(?:::f{4,6}:)?(?P(?:\d{1,3}\.){3}\d{1,3})|(?P(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):)))\]?|(?P[\w\-.^_]*\w))#\S+(?: \([\S.]+\))?: (?P.+)\s(?:denied|\(NOTAUTH\))\s*$
    -

    Failregex: 0 total

    Ignoreregex: 0 total

    Date template hits:
    |- [# of hits] date format
    | [253912] {^LN-BEG}Day(?P[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?

    Lines: 253912 lines, 0 ignored, 0 matched, 253912 missed
    [processed in 9.25 sec]

    Missed line(s): too many to print. Use –print-all-missed to print all 253912 lines

    What I am missing ?

    1. I would say… try restart the fail2ban first. It seems like ur changes not take effect, Failregex: 0 total, it should be 1, otherwise the regex was not loaded.
      If a service restart not work, then I d suggest go over the path/filenames see if there any typo or something, or even poking around the prefregex to blah then see if the change take effect.

  3. Just to make sure other don’t make this mistake.
    Under the tcp jail:
    [named-refused-tcp]

    Change this to:
    action = iptables-multiport[name=Named, port=53, protocol=udp]

    This:
    action = iptables-multiport[name=Named, port=53, protocol=tcp] << THIS

  4. Good webmaster,My dns server receives the attack log is as follows:
    202.9.120.7#13620 (aaa.com): view g-1: rate limit drop SERVFAIL error response to 202.9.120.7/32

    It may be due to enabled view? In the tutorial using your regular expression failregex = # S +( \([\S.]+\))?\: rate limit can not match drop,I ask this Log,How to modify the regular expression,So that it can match the log? Hope seek Reply,Thank you!

      1. I use the two regular expressions you mentioned,Will not work。Is there something missing?
        One entry in the log is
        120.9.20.2#52774 (chef.vpn.qianxin.com): view cnc-user: rate limit drop

        1. The example in my article is "#80 (nhl.msk.su): rate limit drop“, Your log is "#52774 (chef.vpn.qianxin.com): view cnc-user: rate limit drop“,More than mine "view cnc-user:"Such a field,If it is fixed,Then change the regularity to "#S+( \([\S.]+\))?\: view cnc-user: rate limit drop" try,If it changes,Simply become "#S+( \([\S.]+\))?\:.+\: rate limit drop" got it。

          Simply put, your log format is inconsistent with mine~

Leave a Reply

Your email address will not be published. Required fields are marked *