Foreword
Ali cloud I built for personal use dnsmasq server,DNS is used to make pollution-free,The recent disclosure of the IP,Sure enough, it was attacked - is actually being used DNS amplification attacks。
Since dnsmasq itself is not designed to provide external DNS service,So it is for security profile is not a lot (no!),But it's very easy to configure Resolution Policy (DNS resolution, such as Chinese white list),So I had the basis of,Plus a front-end to do security Bind9。
Then,Today we take a look in the end how to do security configuration Bind9。
Bind9 own security configuration
Bind9 itself supports a number of security policies,We do it well,We have been able to make very robust DNS:
edit
/etc/bind/named.conf.options
,We add a custom policy:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
options { directory "/var/cache/bind"; version "None of your business"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. forwarders { 127.0.0.1 port 5352; }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== // dnssec-validation auto; // recursion no; auth-nxdomain no; # conform to RFC1035 //listen-on-v6 { any; }; forward only; allow-query {any;}; allow-query-cache {any;}; dnssec-enable no; dnssec-validation no; rate-limit { ipv4-prefix-length 32; window 10; responses-per-second 25; errors-per-second 5; nxdomains-per-second 5; slip 2; }; }; |
Detailed explanation:
1 |
version "None of your business"; |
Hide Bind9 version information,Prevent hacker attacks against your Bind9 version loophole。
1 2 3 |
forwarders { 127.0.0.1 port 5352; }; |
The message is forwarded to resolve open Bind9,Like dnsmasq as,Let Bind9 able to get up and not resolve on their own to resolve the root,You can avoid polluted (I here to resolve the local dnsmasq)
1 2 3 |
forward only; allow-query {any;}; allow-query-cache {any;}; |
Only allow forwarding,Disable root parsing,External open simultaneously resolves and caches。
1 2 |
dnssec-enable no; dnssec-validation no; |
Close the Security Configuration,Because I want to be forwarded up to dnsmasq,The response of the former non-authoritative answer,So let Bind9 accept non-authoritative answer,It is necessary to close。You do not use the words do not have to shut。
When a domain name in the query,You may see a prompt "non-authoritative answer," the,The prompt indicates that you have requested domain name does not use DNS query server that you currently use。
1 2 3 4 5 6 7 8 |
rate-limit { ipv4-prefix-length 32; window 10; responses-per-second 25; errors-per-second 5; nxdomains-per-second 5; slip 2; }; |
Speed limit for each IP,If the request exceeds per second 25 A,Will no longer respond to direct loss。
effect
Thus,You should be able at
/where/log/syslog
We saw a lot of overrun drop recorded,but,even so,vps still flow away like water,so,We also need to use third-party tools to deal with these IP。
Remember to restart the service
service bind9 restart
Use Fail2ban automatically block hacker IP
Yes, If you've read my VPS then you should buy a spare safety measures this article,Vps that your tool should have installed,It defaults have been able to run well,But give Bind9 use,We will continue to customize some。
Custom Bind9 compatible Fail2ban
Bind9 default and does not generate a separate log,We need to put the error log to record output for Fail2ban,So edit
/etc/bind/named.conf
,Another line from the end of the file insert the following statement:
1 2 3 4 5 6 7 8 9 10 |
logging { channel query_log { file "security.log" versions 3 size 30m; severity info; print-time yes; }; category default { query_log; }; }; |
This is redirected to the default log Bind9
/where/cache/bind/security.log
Size remains 30M
If you use this time
tail -f /where/cache/bind/security.log
View,We will see a lot of records like this:
1 2 3 4 5 6 7 8 9 10 11 12 |
23-Apr-2016 18:44:08.560 client 94.254.209.48#80 (nhl.msk.su): rate limit drop response to 94.254.209.48/32 for nhl.msk.su IN ANY (0000640d) 23-Apr-2016 18:44:08.589 client 94.254.209.48#80 (nhl.msk.su): rate limit slip response to 94.254.209.48/32 for nhl.msk.su IN ANY (0000640d) 23-Apr-2016 18:44:08.607 client 94.254.209.48#80 (nhl.msk.su): rate limit drop response to 94.254.209.48/32 for nhl.msk.su IN ANY (0000640d) 23-Apr-2016 18:44:08.695 client 94.254.209.48#80 (nhl.msk.su): rate limit slip response to 94.254.209.48/32 for nhl.msk.su IN ANY (0000640d) 23-Apr-2016 18:44:08.696 client 94.254.209.48#80 (nhl.msk.su): rate limit drop response to 94.254.209.48/32 for nhl.msk.su IN ANY (0000640d) 23-Apr-2016 18:44:08.752 client 94.254.209.48#80 (nhl.msk.su): rate limit slip response to 94.254.209.48/32 for nhl.msk.su IN ANY (0000640d) 23-Apr-2016 18:44:08.844 client 94.254.209.48#80 (nhl.msk.su): rate limit drop response to 94.254.209.48/32 for nhl.msk.su IN ANY (0000640d) 23-Apr-2016 18:44:08.950 client 94.254.209.48#80 (nhl.msk.su): rate limit slip response to 94.254.209.48/32 for nhl.msk.su IN ANY (0000640d) 23-Apr-2016 18:44:09.009 client 94.254.209.48#80 (nhl.msk.su): rate limit drop response to 94.254.209.48/32 for nhl.msk.su IN ANY (0000640d) 23-Apr-2016 18:44:09.015 client 94.254.209.48#80 (nhl.msk.su): rate limit slip response to 94.254.209.48/32 for nhl.msk.su IN ANY (0000640d) 23-Apr-2016 18:44:09.112 client 94.254.209.48#80 (nhl.msk.su): rate limit drop response to 94.254.209.48/32 for nhl.msk.su IN ANY (0000640d) 23-Apr-2016 18:44:09.117 client 94.254.209.48#80 (nhl.msk.su): rate limit slip response to 94.254.209.48/32 for nhl.msk.su IN ANY (0000640d) |
Obviously,Now, some people reflected in the use of my DNS attack,Next, we have to get rid of these IP configuration Fail2ban。
Let Fail2ban into force on Bind9
In fact Fail2ban native support of Bind9,And even its list has been built - but that strategy and we do not quite match expectations,Have their own change to change。
Edit Filter Configuration
edit
/etc/fail2ban/jail.conf
file,Find Bind9 configuration section in the inside,The default is as follows:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
# These jails block attacks against named (bind9). By default, logging is off # with bind9 installation. You will need something like this: # # logging { # channel security_file { # file "/var/log/named/security.log" versions 3 size 30m; # severity dynamic; # print-time yes; # }; # category security { # security_file; # }; # }; # # in your named.conf to provide proper logging # !!! WARNING !!! # Since UDP is connection-less protocol, spoofing of IP and imitation # of illegal actions is way too simple. Thus enabling of this filter # might provide an easy way for implementing a DoS against a chosen # victim. See # http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html # Please DO NOT USE this jail unless you know what you are doing. #[named-refused-udp] …… [named-refused-tcp] …… |
We gave it to change to change,udp and tcp enabled:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
[named-refused-udp] enabled = true port = domain,953 protocol = udp filter = named-refused logpath = /var/cache/bind/security.log findtime = 1 maxretry = 5 action = iptables-multiport[name=Named, port=53, protocol=udp] [named-refused-tcp] enabled = true port = domain,953 protocol = tcp filter = named-refused logpath = /var/cache/bind/security.log findtime = 1 maxretry = 5 action = iptables-multiport[name=Named, port=53, protocol=tcp] |
The meaning here is that once found 5 times in 1 second record,The corresponding IP will be added to the blacklist,The default time is 3600 seconds。But do not worry,This record is the record drop,Not a normal query records。
Modify filtering rules
Next we look at the default rule change,The default rule is to detect the attack - and we are to be detected being used to attack ...... edit
/etc/fail2ban/filter.d/named-refused.conf
file,Find the following lines:
1 2 3 |
failregex = ^%(__line_prefix)s(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$ ^%(__line_prefix)s(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: zone transfer '\S+/AXFR/\w+' denied\s*$ ^%(__line_prefix)s(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$ |
To:
1 |
failregex = <HOST>#\S+( \([\S.]+\))?\: rate limit drop |
Restart Service
Use the command
service fail2ban restart
To restart the service,This time using the command to view the status of:
1 2 3 4 5 6 7 8 9 10 |
:~# fail2ban-client status named-refused-udp Status for the jail: named-refused-udp |- filter | |- File list: /var/cache/bind/security.log | |- Currently failed: 0 | - Total failed: 9 - action |- Currently banned: 1 | - IP list: 94.254.209.48 - Total banned: 1 |
You see,Has caught up a。
summary
Anyway,Toss down,We get the following harvest:Bind9 can be restricted to a single IP requests per second (you can then be modified according to the needs),Once an IP server within one second and then the number of requests exceeds the limit,It will be recorded and discarded request,If more than five times over,It will blacklisted denied by the firewall (other display destination unreachable)。
A bit of discussion about UDP
As you can see,In Fail2ban profile which also indicate a very dangerous policy for UDP,Because hackers can easily forge a different address,This may be used to exploit your rules malicious blocking certain IP ,If your server this happen,You'll need to turn off of the policy for the UDP。
Further reading
Iptables-Fail2ban treated bind illegal attacks
Ten minutes to set up DNS forwarding cache server
Blocking a DNS DDOS using the fail2ban package
Original article written by LogStudio:R0uter's Blog » Use fail2ban Bind9 be used to prevent DNS amplification attacks
Reproduced Please keep the source and description link:https://www.logcg.com/archives/1681.html
I need help ! I try to use fail2ban with bind9 but when i check fail2ban’s status i get errors ! some one can help me with how to do! Thanks
Hi, thank you for your publications. May i suggest to publish dnsmasq file configuration since this dns resolver is used into the logic developped by your article ?
Hope it helps.
Regards?
—–
forwarders {
127.0.0.1 port 5352;
};
The message is forwarded to resolve open Bind9,Like dnsmasq as,Let Bind9 able to get up and not resolve on their own to resolve the root,You can avoid polluted (I here to resolve the local dnsmasq)
Thank you for writing a helpful blog. I followed your configuration and configured my server.
But failregex = #\S+( \([\S.]+\))?\: rate limit drop does not matches for me. My log file generates logs. Does The # after commenting the line “^\s*\S+\s+named(?:\[\d+\])?: [^:]+: rate limit drop” ? Color also change after #.
My Fail2ban version is 1.0.2.
Output of
fail2ban-regex /var/cache/bind/security.log /etc/fail2ban/filter.d/named-refused.conf
Running tests
=============
Use failregex filter file : named-refused, basedir: /etc/fail2ban
Use log file : /var/cache/bind/security.log
Use encoding : UTF-8
Results
=======
Prefregex: 1 total
| ^\s*(?:\S+ (?:(?:\[\d+\])?:\s+\(?named(?:-\w+)?(?:\(\S+\))?\)?:?|\(?named(?:-\w+)?(?:\(\S+\))?\)?:?(?:\[\d+\])?:)\s+)?(?:(?!error|info)[\w-]+: )?(?:(?:error|info):\s*)?client(?: @\S*)? (?:\[?(?:(?:::f{4,6}:)?(?P(?:\d{1,3}\.){3}\d{1,3})|(?P(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):)))\]?|(?P[\w\-.^_]*\w))#\S+(?: \([\S.]+\))?: (?P.+)\s(?:denied|\(NOTAUTH\))\s*$
-
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [253912] {^LN-BEG}Day(?P[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
–
Lines: 253912 lines, 0 ignored, 0 matched, 253912 missed
[processed in 9.25 sec]
Missed line(s): too many to print. Use –print-all-missed to print all 253912 lines
What I am missing ?
I would say… try restart the fail2ban first. It seems like ur changes not take effect, Failregex: 0 total, it should be 1, otherwise the regex was not loaded.
If a service restart not work, then I d suggest go over the path/filenames see if there any typo or something, or even poking around the prefregex to blah then see if the change take effect.
Just to make sure other don’t make this mistake.
Under the tcp jail:
[named-refused-tcp]
…
Change this to:
action = iptables-multiport[name=Named, port=53, protocol=udp]
This:
action = iptables-multiport[name=Named, port=53, protocol=tcp] << THIS
Tanks man, updated.
Good webmaster,My dns server receives the attack log is as follows:
202.9.120.7#13620 (aaa.com): view g-1: rate limit drop SERVFAIL error response to 202.9.120.7/32
It may be due to enabled view? In the tutorial using your regular expression failregex = # S +( \([\S.]+\))?\: rate limit can not match drop,I ask this Log,How to modify the regular expression,So that it can match the log? Hope seek Reply,Thank you!
If it is static,That failregex =#\S+( \([\S.]+\))?\: view g-1: rate limit drop #\S+( \([\S.]+\))?\: \in{4} \w-d: rate limit drop
If that is also dynamic,It:failregex =
I use the two regular expressions you mentioned,Will not work。Is there something missing?
One entry in the log is
120.9.20.2#52774 (chef.vpn.qianxin.com): view cnc-user: rate limit drop
The example in my article is "#80 (nhl.msk.su): rate limit drop“, Your log is "#52774 (chef.vpn.qianxin.com): view cnc-user: rate limit drop“,More than mine "view cnc-user:"Such a field,If it is fixed,Then change the regularity to "#S+( \([\S.]+\))?\: view cnc-user: rate limit drop" try,If it changes,Simply become "#S+( \([\S.]+\))?\:.+\: rate limit drop" got it。
Simply put, your log format is inconsistent with mine~
This is very interesting, You’re a very skilled blogger. I have joined your feed and look forward sex seeking more of your fantastic post. Also, I have shared your site in my social networks!
Ali cloud it is too expensive,Student ten dollars a month to do,You get hold of Tencent cloud,A dollar a month ohhh also a student version of it!
heard,They introduced when I already have bought,Also I heard that Tencent cloud very pit ah。
It looked cheap,Anyway, I also used to take ss,Because the school to access the Internet sometimes too pit,The way to get hold of OpenVPN UDP53,You know!