[CentOS] logwatch named logs
Ljubomir Ljubojevic
centos at plnet.rs
Thu Mar 13 12:36:41 UTC 2014
On 03/13/2014 12:17 PM, John R Pierce wrote:
> ever since implementing the no-recursion-on-outside queries fix on one
> of my name servers, my logwatch emails have been 10-20MB/day, filled
> with crud like...
>
> client 10.191.192.212 query (cache) 'm.777.liyuanxi.com/A/IN' denied: 1 Time(s)
> client 10.192.34.96 query (cache) 'dyjwntl.www.0411gogo.com/A/IN' denied: 1 Time(s)
> client 10.192.43.105 query (cache) 'doitxwx.777.liyuanxi.com/A/IN' denied: 1 Time(s)
> client 10.192.90.161 query (cache) 'v.www.90uc.com/A/IN' denied: 1 Time(s)
>
>
> any idea how to suppress this? this is centos 5.latest with bind 9.7
>
>
I added this to Named config:
channel security_file {
file "/var/log/named/security.log" versions 3 size 30m;
severity dynamic;
print-time yes;
};
And applied fail2ban:
jail.local:
IMPORTANT: see filter.d/named-refused for instructions to enable logging
# This jail blocks TCP traffic for DNS requests.
[named-refused-udp]
enabled = true
filter = named-refused
action = shorewall
sendmail[name=Named-udp, dest=admin at mail,
sender=chiron at mail, sendername="Fail2Ban-named-re
fused-udp"]
#action = iptables-multiport[name=Named, port="domain,953", protocol=udp]
# sendmail-whois[name=Named, dest=admin at mail]
logpath=/var/log/named/security.log
ignoreip = 168.192.0.0/16 172.16.0.0/12 10.0.0.0/8 publicsub/29
# This jail blocks TCP traffic for DNS requests.
[named-refused-tcp]
enabled = true
filter = named-refused
action = shorewall
sendmail[name=Named-tcp, dest=admin at mail,
sender=chiron at plnet.rs, sendername="Fail2Ban-named-re
fused-tcp"]
#action = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
# sendmail-whois[name=Named, dest=admin at mail]
logpath = /var/log/named/security.log
ignoreip = 168.192.0.0/16 172.16.0.0/12 10.0.0.0/8 publicsub/29
Notice that I use shorewall not iptables directly.
That gave me two things, One is reducing logwatch from 2-5MB to 360KB,
and Second is blocking DDOS attacking IP's from repeating attacks for
certain amount of time (few days I think).
Too bad fail2ban does not have global attacker database like denyhosts
does. Global threat needs global defense.
--
Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe
StarOS, Mikrotik and CentOS/RHEL/Linux consultant
More information about the CentOS
mailing list