[CentOS] logwatch named logs

Thu Mar 13 12:36:41 UTC 2014
Ljubomir Ljubojevic <centos at plnet.rs>

On 03/13/2014 12:17 PM, John R Pierce wrote:
> ever since implementing the no-recursion-on-outside queries fix on one
> of my name servers, my logwatch emails have been 10-20MB/day, filled
> with crud like...
>
>       client 10.191.192.212 query (cache) 'm.777.liyuanxi.com/A/IN' denied: 1 Time(s)
>       client 10.192.34.96 query (cache) 'dyjwntl.www.0411gogo.com/A/IN' denied: 1 Time(s)
>       client 10.192.43.105 query (cache) 'doitxwx.777.liyuanxi.com/A/IN' denied: 1 Time(s)
>       client 10.192.90.161 query (cache) 'v.www.90uc.com/A/IN' denied: 1 Time(s)
>
>
> any idea how to suppress this?  this is centos 5.latest with bind 9.7
>
>

I added this to Named config:

         channel security_file {
                 file "/var/log/named/security.log" versions 3 size 30m;
                 severity dynamic;
                 print-time yes;
		};

And applied fail2ban:

jail.local:

  IMPORTANT: see filter.d/named-refused for instructions to enable logging
# This jail blocks TCP traffic for DNS requests.
[named-refused-udp]
enabled  = true
filter   = named-refused
action   = shorewall
            sendmail[name=Named-udp, dest=admin at mail, 
sender=chiron at mail, sendername="Fail2Ban-named-re
fused-udp"]
#action   = iptables-multiport[name=Named, port="domain,953", protocol=udp]
#           sendmail-whois[name=Named, dest=admin at mail]
logpath=/var/log/named/security.log
ignoreip = 168.192.0.0/16 172.16.0.0/12 10.0.0.0/8 publicsub/29

# This jail blocks TCP traffic for DNS requests.
[named-refused-tcp]
enabled  = true
filter   = named-refused
action   = shorewall
            sendmail[name=Named-tcp, dest=admin at mail, 
sender=chiron at plnet.rs, sendername="Fail2Ban-named-re
fused-tcp"]
#action   = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
#           sendmail-whois[name=Named, dest=admin at mail]
logpath  = /var/log/named/security.log
ignoreip = 168.192.0.0/16 172.16.0.0/12 10.0.0.0/8 publicsub/29


Notice that I use shorewall not iptables directly.

That gave me two things, One is reducing logwatch from 2-5MB to 360KB, 
and Second is blocking DDOS attacking IP's from repeating attacks for 
certain amount of time (few days I think).

Too bad fail2ban does not have global attacker database like denyhosts 
does. Global threat needs global defense.



-- 
Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

StarOS, Mikrotik and CentOS/RHEL/Linux consultant