ever since implementing the no-recursion-on-outside queries fix on one of my name servers, my logwatch emails have been 10-20MB/day, filled with crud like...
client 10.191.192.212 query (cache) 'm.777.liyuanxi.com/A/IN' denied: 1 Time(s) client 10.192.34.96 query (cache) 'dyjwntl.www.0411gogo.com/A/IN' denied: 1 Time(s) client 10.192.43.105 query (cache) 'doitxwx.777.liyuanxi.com/A/IN' denied: 1 Time(s) client 10.192.90.161 query (cache) 'v.www.90uc.com/A/IN' denied: 1 Time(s)
any idea how to suppress this? this is centos 5.latest with bind 9.7
On 3/13/2014 4:41 AM, Joseph L. Casale wrote:
any idea how to suppress this? this is centos 5.latest with bind 9.7
A local override, copy the named conf and move the regex that is counting those events up to the ignore section.
I assume you're referring to the logwatch configuration? whack, /etc/logwatch/ has a bunch of mostly empty directories, I see no mention of named
so I'm gonna have to spend the better part of a day figuring out how all this works? meh. I'd actually like to block named from creating these logs at all as my /var/log/messages are being polluted with huge amounts of this stuff daily.
so I'm gonna have to spend the better part of a day figuring out how all this works? meh. I'd actually like to block named from creating these logs at all as my /var/log/messages are being polluted with huge amounts of this stuff daily.
Get your named logs out of there and implement logging in named.conf directly. You are running named chrooted and log to ROOT/var/log.
On Thu, Mar 13, 2014 at 8:01 AM, John R Pierce pierce@hogranch.com wrote:
On 3/13/2014 4:41 AM, Joseph L. Casale wrote:
any idea how to suppress this? this is centos 5.latest with bind 9.7
A local override, copy the named conf and move the regex that is counting those events up to the ignore section.
I assume you're referring to the logwatch configuration? whack, /etc/logwatch/ has a bunch of mostly empty directories, I see no mention of named
so I'm gonna have to spend the better part of a day figuring out how all this works? meh. I'd actually like to block named from creating these logs at all as my /var/log/messages are being polluted with huge amounts of this stuff daily.
In addition to ignore.conf regexes...
You can exclude logs for daemons all together (which I doubt you want). The line below if placed in /usr/share/logwatch/default.conf/logwatch.conf will exclude named logs.
Service = "-named"
On Thu, Mar 13, 2014 at 7:41 AM, Joseph L. Casale <jcasale@activenetwerx.com
wrote:
any idea how to suppress this? this is centos 5.latest with bind 9.7
A local override, copy the named conf and move the regex that is counting those events up to the ignore section.
You can add rules to logwatch's ignore.conf
~]$ cat /etc/logwatch/conf/ignore.conf ###### REGULAR EXPRESSIONS IN THIS FILE WILL BE TRIMMED FROM REPORT OUTPUT #####
Though the better solution is fixing/resolving the logging of those messages to begin with. One step at a time though, eh?
Am 13.03.2014 um 12:17 schrieb John R Pierce pierce@hogranch.com:
ever since implementing the no-recursion-on-outside queries fix on one of my name servers, my logwatch emails have been 10-20MB/day, filled with crud like...
client 10.191.192.212 query (cache) 'm.777.liyuanxi.com/A/IN' denied: 1 Time(s) client 10.192.34.96 query (cache) 'dyjwntl.www.0411gogo.com/A/IN' denied: 1 Time(s) client 10.192.43.105 query (cache) 'doitxwx.777.liyuanxi.com/A/IN' denied: 1 Time(s) client 10.192.90.161 query (cache) 'v.www.90uc.com/A/IN' denied: 1 Time(s)any idea how to suppress this? this is centos 5.latest with bind 9.7
cp /usr/share/logwatch/scripts/services/named /etc/logwatch/scripts/services/named
and make your modifications in /etc/logwatch/scripts/services/named
-- LF
On 03/13/2014 12:17 PM, John R Pierce wrote:
ever since implementing the no-recursion-on-outside queries fix on one of my name servers, my logwatch emails have been 10-20MB/day, filled with crud like...
client 10.191.192.212 query (cache) 'm.777.liyuanxi.com/A/IN' denied: 1 Time(s) client 10.192.34.96 query (cache) 'dyjwntl.www.0411gogo.com/A/IN' denied: 1 Time(s) client 10.192.43.105 query (cache) 'doitxwx.777.liyuanxi.com/A/IN' denied: 1 Time(s) client 10.192.90.161 query (cache) 'v.www.90uc.com/A/IN' denied: 1 Time(s)any idea how to suppress this? this is centos 5.latest with bind 9.7
I added this to Named config:
channel security_file { file "/var/log/named/security.log" versions 3 size 30m; severity dynamic; print-time yes; };
And applied fail2ban:
jail.local:
IMPORTANT: see filter.d/named-refused for instructions to enable logging # This jail blocks TCP traffic for DNS requests. [named-refused-udp] enabled = true filter = named-refused action = shorewall sendmail[name=Named-udp, dest=admin@mail, sender=chiron@mail, sendername="Fail2Ban-named-re fused-udp"] #action = iptables-multiport[name=Named, port="domain,953", protocol=udp] # sendmail-whois[name=Named, dest=admin@mail] logpath=/var/log/named/security.log ignoreip = 168.192.0.0/16 172.16.0.0/12 10.0.0.0/8 publicsub/29
# This jail blocks TCP traffic for DNS requests. [named-refused-tcp] enabled = true filter = named-refused action = shorewall sendmail[name=Named-tcp, dest=admin@mail, sender=chiron@plnet.rs, sendername="Fail2Ban-named-re fused-tcp"] #action = iptables-multiport[name=Named, port="domain,953", protocol=tcp] # sendmail-whois[name=Named, dest=admin@mail] logpath = /var/log/named/security.log ignoreip = 168.192.0.0/16 172.16.0.0/12 10.0.0.0/8 publicsub/29
Notice that I use shorewall not iptables directly.
That gave me two things, One is reducing logwatch from 2-5MB to 360KB, and Second is blocking DDOS attacking IP's from repeating attacks for certain amount of time (few days I think).
Too bad fail2ban does not have global attacker database like denyhosts does. Global threat needs global defense.
On 13-03-14 13:36, Ljubomir Ljubojevic wrote: [snip]
Too bad fail2ban does not have global attacker database like denyhosts does. Global threat needs global defense.
There is http://www.blocklist.de
Cheers, Patrick
Am 13.03.2014 13:36, schrieb Ljubomir Ljubojevic:
jail.local:
IMPORTANT: see filter.d/named-refused for instructions to enable logging # This jail blocks TCP traffic for DNS requests. [named-refused-udp]
ignoreip = 168.192.0.0/16 172.16.0.0/12 10.0.0.0/8 publicsub/29
^ sure about this? that's not RFC1918
# This jail blocks TCP traffic for DNS requests. [named-refused-tcp]
ignoreip = 168.192.0.0/16 172.16.0.0/12 10.0.0.0/8 publicsub/29
here as well: no RFC1918 space
Maybe no copy&paste out of your configuration file.
Alexander
On 3/13/2014 4:17 AM, John R Pierce wrote:
... 10-20MB daily logs of client 10.191.192.212 query (cache) 'm.777.liyuanxi.com/A/IN' denied: 1 Time(s) client 10.192.34.96 query (cache) 'dyjwntl.www.0411gogo.com/A/IN' denied: 1 Time(s) client 10.192.43.105 query (cache) 'doitxwx.777.liyuanxi.com/A/IN' denied: 1 Time(s) client 10.192.90.161 query (cache) 'v.www.90uc.com/A/IN' denied: 1 Time(s)
ok, let me rephrase this question.
how do I stop named (bind97 from CentOS 5.10) from logging those specific events at all? there were 1.2 million of these yesterday. no, fail2ban won't work,. no 2 came from the same IP. afaik, these are attempts at cache poisoning, which I've disabled.
Am 13.03.2014 um 19:41 schrieb John R Pierce pierce@hogranch.com:
On 3/13/2014 4:17 AM, John R Pierce wrote:
... 10-20MB daily logs of client 10.191.192.212 query (cache) 'm.777.liyuanxi.com/A/IN' denied: 1 Time(s) client 10.192.34.96 query (cache) 'dyjwntl.www.0411gogo.com/A/IN' denied: 1 Time(s) client 10.192.43.105 query (cache) 'doitxwx.777.liyuanxi.com/A/IN' denied: 1 Time(s) client 10.192.90.161 query (cache) 'v.www.90uc.com/A/IN' denied: 1 Time(s)
ok, let me rephrase this question.
how do I stop named (bind97 from CentOS 5.10) from logging those specific events at all?
take a look into the manual
$ man named.conf
check LOGGING section
-- LF
-
Alexander Dalloz -
John R Pierce -
Joseph L. Casale -
Lars Hecking -
Leon Fauster -
Ljubomir Ljubojevic -
Patrick Laimbock -
SilverTip257