[opensuse] DNS Error Log - Solved

29 Jul 2007

      If you run a DNS server on your system you probably have been plagued with 
external sites trying to forward queries through your DNS server.  Even though 
you probably have told your named.conf to allow-query {"localnets";}; or a list 
of valid IP's you probably still have a bunch of unnecessary probing that adds 
to your bandwidth consumption even if you reject the queries and send 'refused' 
packets back, it ties up your line.  I got tired of literally hundreds, 
sometimes thoussands of such queries which I considered a form of attack and 
thought that "fail2ban" could be a solution.   

I know about as much about writing filters as I do about the differance between 
my posterior and a hole in the ground, but a fellow fail2ban list member took 
pity on me and in private E-mail, helped me develop a filter we call 
'named-refused'.  On 7/24 I installed it into fail2ban and started testing it.  
The results are in the log summary below. You will notice on the 24th, the 
filter 'named-refused was innvoked "a lot"  and by the next day, it was back to 
the normal fighting off the sshd worm, and even that has gone way down since 
fail2ban was installed.   I didn't  post my entire log, but it is just as 
impressive to note that as of the 24th, fail2ban as reduced my DNS attack 
bandwidth to zero because whoever those badguys are have apparantly decided that 
because I no longer appear to exist that it isn't worth wasting their time 
trying anymore.  As long as I responded to all of their attempts, even though 
they got 'refused' each time, they kept trying.   Yay fail2ban and thank you 
Cyril (the author) for a fine product and our fellow list member for your 
patience and time.

The log below shows how effective it can be.  BTW, the exerpt from /messages was 
extracted BEFORE fail2ban was turned on with the new filter  :)    Because it is 
so effective and because a lot of SUSE users do use SSHd and DNS and experience 
worms and attacks, I want to document the effectiveness of fail2ban in solving 
the problem we face when we run those server/demons.  I, for one, have my 
machine back!

I run SUSE 10.2 and 10.3a6 and I am more than willing to zip up my /etc/fail2ban 
local files which should work with little or no modification on other distros.  
The gentleman that assisted me with the filter runs Debian and said he will 
submit a patch for Debian to Cyril (the Author of Fail2ban) to consider for 
distribution.

BTW, the report below can be produced by:

grep "Ban " /var/log/fail2ban.log | awk '{print $1,$5,$7}' |  sort |uniq -c

assuming your log file is in that directory with that name.   Substitute your 
log file name if you don't use that name.

Richard

This is an exerpt from /var/log/messages   It shows literally thousands of 
attempts to induce my DNS to forward a query

Jul 24 09:22:05 raid5 named[3935]: client 195.135.220.2#32768: query 
'ns2.ricreig.com/AAAA/IN' denied
Jul 24 09:22:05 raid5 named[3935]: client 195.135.220.2#32768: query 
'ns1.ricreig.com/AAAA/IN' denied
Jul 24 09:22:05 raid5 named[3935]: client 195.135.220.2#32768: query 
'ns2.ricreig.com/AAAA/IN' denied
Jul 24 09:22:05 raid5 named[3935]: client 195.135.221.2#32768: query 
'ns1.ricreig.com/AAAA/IN' denied
Jul 24 09:22:05 raid5 named[3935]: client 195.135.221.2#32768: query 
'ns2.ricreig.com/AAAA/IN' denied
Jul 24 09:22:06 raid5 named[3935]: client 195.135.220.15#32768: query 
'ns1.ricreig.com/AAAA/IN' denied
Jul 24 09:22:06 raid5 named[3935]: client 195.135.220.15#32768: query 
'ns2.ricreig.com/AAAA/IN' denied
Jul 24 09:22:06 raid5 named[3935]: client 195.135.220.15#32768: query 
'ns1.ricreig.com/AAAA/IN' denied
Jul 24 09:22:06 raid5 named[3935]: client 195.135.220.15#32768: query 
'ns2.ricreig.com/AAAA/IN' denied
Jul 24 09:22:06 raid5 sshd[5243]: Invalid user admin from 200.226.124.15
Jul 24 09:22:06 raid5 named[3935]: client 195.135.220.2#32768: query 
'ns1.ricreig.com/AAAA/IN' denied
Jul 24 09:22:06 raid5 named[3935]: client 195.135.220.2#32768: query 
'ns2.ricreig.com/AAAA/IN' denied
Jul 24 09:22:07 raid5 named[3935]: client 195.135.220.2#32768: query 
'ns1.ricreig.com/AAAA/IN' denied
Jul 24 09:22:07 raid5 named[3935]: client 195.135.220.2#32768: query 
'ns2.ricreig.com/AAAA/IN' denied
Jul 24 09:22:07 raid5 named[3935]: client 195.135.221.2#32768: query 
'ns1.ricreig.com/AAAA/IN' denied
Jul 24 09:22:07 raid5 named[3935]: client 195.135.221.2#32768: query 
'ns2.ricreig.com/AAAA/IN' denied
Jul 24 09:22:07 raid5 named[3935]: client 195.135.220.2#32768: query 
'ns1.ricreig.com/AAAA/IN' denied
Jul 24 09:22:07 raid5 named[3935]: client 195.135.220.2#32768: query 
'ns2.ricreig.com/AAAA/IN' denied
Jul 24 09:22:08 raid5 named[3935]: client 195.135.220.2#32768: query 
'ns2.ricreig.com/AAAA/IN' denied
Jul 24 09:22:08 raid5 named[3935]: client 195.135.220.2#32768: query 
'ns1.ricreig.com/AAAA/IN' denied
Jul 24 09:22:08 raid5 sshd[5246]: Invalid user user from 200.226.124.15
Jul 24 09:22:08 raid5 named[3935]: client 195.135.220.15#32768: query 
'ns1.ricreig.com/AAAA/IN' denied
Jul 24 09:22:08 raid5 named[3935]: client 195.135.220.15#32768: query 
'ns2.ricreig.com/AAAA/IN' denied
Jul 24 09:22:08 raid5 named[3935]: client 195.135.220.15#32768: query 
'ns1.ricreig.com/AAAA/IN' denied
Jul 24 09:22:08 raid5 named[3935]: client 195.135.220.15#32768: query 
'ns2.ricreig.com/AAAA/IN' denied
Jul 24 09:22:09 raid5 named[3935]: client 195.135.221.2#34166: query 
'ns1.ricreig.com/AAAA/IN' denied
Jul 24 09:22:09 raid5 named[3935]: client 195.135.221.2#34166: query 
'ns2.ricreig.com/AAAA/IN' denied
Jul 24 09:22:09 raid5 named[3935]: client 195.135.220.2#32768: query 
'ns1.ricreig.com/AAAA/IN' denied
Jul 24 09:22:09 raid5 named[3935]: client 195.135.220.2#32768: query 
'ns2.ricreig.com/AAAA/IN' denied
Jul 24 09:22:09 raid5 named[3935]: client 195.135.220.2#32768: query 
'ns1.ricreig.com/AAAA/IN' denied
Jul 24 09:22:09 raid5 named[3935]: client 195.135.220.2#32768: query 
'ns2.ricreig.com/AAAA/IN' denied
Jul 24 09:22:10 raid5 named[3935]: client 195.135.220.15#32768: query 
'ns1.ricreig.com/AAAA/IN' denied
Jul 24 09:22:10 raid5 named[3935]: client 195.135.220.15#32768: query 
'ns2.ricreig.com/AAAA/IN' denied
Jul 24 09:22:10 raid5 named[3935]: client 195.135.220.15#32768: query 
'ns1.ricreig.com/AAAA/IN' denied

This is a summary of the Fail2ban log for the dates 7/23 to 7/27.

Attacks    Date        Filter        IP of Attacker
      1 2007-07-23 [ssh-iptables] 165.230.95.44
      2 2007-07-24 [named-refused] 128.110.124.120
      1 2007-07-24 [named-refused] 130.57.22.201
      1 2007-07-24 [named-refused] 130.57.22.6
      1 2007-07-24 [named-refused] 137.65.1.1
      1 2007-07-24 [named-refused] 137.65.1.2
      6 2007-07-24 [named-refused] 148.160.29.6
      2 2007-07-24 [named-refused] 155.101.98.155
      2 2007-07-24 [named-refused] 155.101.98.156
      1 2007-07-24 [named-refused] 165.230.69.67
      1 2007-07-24 [named-refused] 165.230.81.231
      1 2007-07-24 [named-refused] 165.230.84.227
      1 2007-07-24 [named-refused] 165.230.95.119
      3 2007-07-24 [named-refused] 165.230.95.90
      2 2007-07-24 [named-refused] 204.127.192.82
      2 2007-07-24 [named-refused] 204.127.192.85
      2 2007-07-24 [named-refused] 204.127.193.31
      1 2007-07-24 [named-refused] 204.127.193.32
      1 2007-07-24 [named-refused] 204.127.193.33
      1 2007-07-24 [named-refused] 204.127.193.36
      1 2007-07-24 [named-refused] 204.127.200.81
      1 2007-07-24 [named-refused] 204.127.200.82
      1 2007-07-24 [named-refused] 204.127.200.83
      2 2007-07-24 [named-refused] 204.127.200.84
      1 2007-07-24 [named-refused] 204.127.201.29
      1 2007-07-24 [named-refused] 204.127.201.31
      1 2007-07-24 [named-refused] 204.127.201.32
      1 2007-07-24 [named-refused] 204.127.201.33
      1 2007-07-24 [named-refused] 204.127.201.35
      1 2007-07-24 [named-refused] 204.127.201.36
      1 2007-07-24 [named-refused] 216.148.226.32
      1 2007-07-24 [named-refused] 216.148.226.33
      1 2007-07-24 [named-refused] 216.148.226.34
      1 2007-07-24 [named-refused] 216.148.226.36
      1 2007-07-24 [named-refused] 216.148.227.153
      3 2007-07-24 [named-refused] 63.240.77.32
      1 2007-07-24 [named-refused] 63.240.77.81
      1 2007-07-24 [named-refused] 63.240.77.85
      1 2007-07-24 [named-refused] 65.110.190.249
      1 2007-07-24 [ssh-iptables] 222.107.187.2
      1 2007-07-25 [ssh-iptables] 200.61.47.165
      1 2007-07-25 [ssh-iptables] 213.176.96.5
      1 2007-07-25 [ssh-iptables] 61.185.220.249
      1 2007-07-26 [ssh-iptables] 61.200.49.40
      1 2007-07-27 [ssh-iptables] 202.172.229.16
      1 2007-07-27 [ssh-iptables] 61.172.200.150

-- 
To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse+help@opensuse.org

[opensuse] DNS Error Log - Solved

Richard Creighton