On 03/13/2014 12:17 PM, John R Pierce wrote: > ever since implementing the no-recursion-on-outside queries fix on one > of my name servers, my logwatch emails have been 10-20MB/day, filled > with crud like... > > client 10.191.192.212 query (cache) 'm.777.liyuanxi.com/A/IN' denied: 1 Time(s) > client 10.192.34.96 query (cache) 'dyjwntl.www.0411gogo.com/A/IN' denied: 1 Time(s) > client 10.192.43.105 query (cache) 'doitxwx.777.liyuanxi.com/A/IN' denied: 1 Time(s) > client 10.192.90.161 query (cache) 'v.www.90uc.com/A/IN' denied: 1 Time(s) > > > any idea how to suppress this? this is centos 5.latest with bind 9.7 > > I added this to Named config: channel security_file { file "/var/log/named/security.log" versions 3 size 30m; severity dynamic; print-time yes; }; And applied fail2ban: jail.local: IMPORTANT: see filter.d/named-refused for instructions to enable logging # This jail blocks TCP traffic for DNS requests. [named-refused-udp] enabled = true filter = named-refused action = shorewall sendmail[name=Named-udp, dest=admin at mail, sender=chiron at mail, sendername="Fail2Ban-named-re fused-udp"] #action = iptables-multiport[name=Named, port="domain,953", protocol=udp] # sendmail-whois[name=Named, dest=admin at mail] logpath=/var/log/named/security.log ignoreip = 168.192.0.0/16 172.16.0.0/12 10.0.0.0/8 publicsub/29 # This jail blocks TCP traffic for DNS requests. [named-refused-tcp] enabled = true filter = named-refused action = shorewall sendmail[name=Named-tcp, dest=admin at mail, sender=chiron at plnet.rs, sendername="Fail2Ban-named-re fused-tcp"] #action = iptables-multiport[name=Named, port="domain,953", protocol=tcp] # sendmail-whois[name=Named, dest=admin at mail] logpath = /var/log/named/security.log ignoreip = 168.192.0.0/16 172.16.0.0/12 10.0.0.0/8 publicsub/29 Notice that I use shorewall not iptables directly. That gave me two things, One is reducing logwatch from 2-5MB to 360KB, and Second is blocking DDOS attacking IP's from repeating attacks for certain amount of time (few days I think). Too bad fail2ban does not have global attacker database like denyhosts does. Global threat needs global defense. -- Ljubomir Ljubojevic (Love is in the Air) PL Computers Serbia, Europe StarOS, Mikrotik and CentOS/RHEL/Linux consultant