[opensuse] DNS Error Log - Solved
If you run a DNS server on your system you probably have been plagued with external sites trying to forward queries through your DNS server. Even though you probably have told your named.conf to allow-query {"localnets";}; or a list of valid IP's you probably still have a bunch of unnecessary probing that adds to your bandwidth consumption even if you reject the queries and send 'refused' packets back, it ties up your line. I got tired of literally hundreds, sometimes thoussands of such queries which I considered a form of attack and thought that "fail2ban" could be a solution. I know about as much about writing filters as I do about the differance between my posterior and a hole in the ground, but a fellow fail2ban list member took pity on me and in private E-mail, helped me develop a filter we call 'named-refused'. On 7/24 I installed it into fail2ban and started testing it. The results are in the log summary below. You will notice on the 24th, the filter 'named-refused was innvoked "a lot" and by the next day, it was back to the normal fighting off the sshd worm, and even that has gone way down since fail2ban was installed. I didn't post my entire log, but it is just as impressive to note that as of the 24th, fail2ban as reduced my DNS attack bandwidth to zero because whoever those badguys are have apparantly decided that because I no longer appear to exist that it isn't worth wasting their time trying anymore. As long as I responded to all of their attempts, even though they got 'refused' each time, they kept trying. Yay fail2ban and thank you Cyril (the author) for a fine product and our fellow list member for your patience and time. The log below shows how effective it can be. BTW, the exerpt from /messages was extracted BEFORE fail2ban was turned on with the new filter :) Because it is so effective and because a lot of SUSE users do use SSHd and DNS and experience worms and attacks, I want to document the effectiveness of fail2ban in solving the problem we face when we run those server/demons. I, for one, have my machine back! I run SUSE 10.2 and 10.3a6 and I am more than willing to zip up my /etc/fail2ban local files which should work with little or no modification on other distros. The gentleman that assisted me with the filter runs Debian and said he will submit a patch for Debian to Cyril (the Author of Fail2ban) to consider for distribution. BTW, the report below can be produced by: grep "Ban " /var/log/fail2ban.log | awk '{print $1,$5,$7}' | sort |uniq -c assuming your log file is in that directory with that name. Substitute your log file name if you don't use that name. Richard This is an exerpt from /var/log/messages It shows literally thousands of attempts to induce my DNS to forward a query Jul 24 09:22:05 raid5 named[3935]: client 195.135.220.2#32768: query 'ns2.ricreig.com/AAAA/IN' denied Jul 24 09:22:05 raid5 named[3935]: client 195.135.220.2#32768: query 'ns1.ricreig.com/AAAA/IN' denied Jul 24 09:22:05 raid5 named[3935]: client 195.135.220.2#32768: query 'ns2.ricreig.com/AAAA/IN' denied Jul 24 09:22:05 raid5 named[3935]: client 195.135.221.2#32768: query 'ns1.ricreig.com/AAAA/IN' denied Jul 24 09:22:05 raid5 named[3935]: client 195.135.221.2#32768: query 'ns2.ricreig.com/AAAA/IN' denied Jul 24 09:22:06 raid5 named[3935]: client 195.135.220.15#32768: query 'ns1.ricreig.com/AAAA/IN' denied Jul 24 09:22:06 raid5 named[3935]: client 195.135.220.15#32768: query 'ns2.ricreig.com/AAAA/IN' denied Jul 24 09:22:06 raid5 named[3935]: client 195.135.220.15#32768: query 'ns1.ricreig.com/AAAA/IN' denied Jul 24 09:22:06 raid5 named[3935]: client 195.135.220.15#32768: query 'ns2.ricreig.com/AAAA/IN' denied Jul 24 09:22:06 raid5 sshd[5243]: Invalid user admin from 200.226.124.15 Jul 24 09:22:06 raid5 named[3935]: client 195.135.220.2#32768: query 'ns1.ricreig.com/AAAA/IN' denied Jul 24 09:22:06 raid5 named[3935]: client 195.135.220.2#32768: query 'ns2.ricreig.com/AAAA/IN' denied Jul 24 09:22:07 raid5 named[3935]: client 195.135.220.2#32768: query 'ns1.ricreig.com/AAAA/IN' denied Jul 24 09:22:07 raid5 named[3935]: client 195.135.220.2#32768: query 'ns2.ricreig.com/AAAA/IN' denied Jul 24 09:22:07 raid5 named[3935]: client 195.135.221.2#32768: query 'ns1.ricreig.com/AAAA/IN' denied Jul 24 09:22:07 raid5 named[3935]: client 195.135.221.2#32768: query 'ns2.ricreig.com/AAAA/IN' denied Jul 24 09:22:07 raid5 named[3935]: client 195.135.220.2#32768: query 'ns1.ricreig.com/AAAA/IN' denied Jul 24 09:22:07 raid5 named[3935]: client 195.135.220.2#32768: query 'ns2.ricreig.com/AAAA/IN' denied Jul 24 09:22:08 raid5 named[3935]: client 195.135.220.2#32768: query 'ns2.ricreig.com/AAAA/IN' denied Jul 24 09:22:08 raid5 named[3935]: client 195.135.220.2#32768: query 'ns1.ricreig.com/AAAA/IN' denied Jul 24 09:22:08 raid5 sshd[5246]: Invalid user user from 200.226.124.15 Jul 24 09:22:08 raid5 named[3935]: client 195.135.220.15#32768: query 'ns1.ricreig.com/AAAA/IN' denied Jul 24 09:22:08 raid5 named[3935]: client 195.135.220.15#32768: query 'ns2.ricreig.com/AAAA/IN' denied Jul 24 09:22:08 raid5 named[3935]: client 195.135.220.15#32768: query 'ns1.ricreig.com/AAAA/IN' denied Jul 24 09:22:08 raid5 named[3935]: client 195.135.220.15#32768: query 'ns2.ricreig.com/AAAA/IN' denied Jul 24 09:22:09 raid5 named[3935]: client 195.135.221.2#34166: query 'ns1.ricreig.com/AAAA/IN' denied Jul 24 09:22:09 raid5 named[3935]: client 195.135.221.2#34166: query 'ns2.ricreig.com/AAAA/IN' denied Jul 24 09:22:09 raid5 named[3935]: client 195.135.220.2#32768: query 'ns1.ricreig.com/AAAA/IN' denied Jul 24 09:22:09 raid5 named[3935]: client 195.135.220.2#32768: query 'ns2.ricreig.com/AAAA/IN' denied Jul 24 09:22:09 raid5 named[3935]: client 195.135.220.2#32768: query 'ns1.ricreig.com/AAAA/IN' denied Jul 24 09:22:09 raid5 named[3935]: client 195.135.220.2#32768: query 'ns2.ricreig.com/AAAA/IN' denied Jul 24 09:22:10 raid5 named[3935]: client 195.135.220.15#32768: query 'ns1.ricreig.com/AAAA/IN' denied Jul 24 09:22:10 raid5 named[3935]: client 195.135.220.15#32768: query 'ns2.ricreig.com/AAAA/IN' denied Jul 24 09:22:10 raid5 named[3935]: client 195.135.220.15#32768: query 'ns1.ricreig.com/AAAA/IN' denied This is a summary of the Fail2ban log for the dates 7/23 to 7/27. Attacks Date Filter IP of Attacker 1 2007-07-23 [ssh-iptables] 165.230.95.44 2 2007-07-24 [named-refused] 128.110.124.120 1 2007-07-24 [named-refused] 130.57.22.201 1 2007-07-24 [named-refused] 130.57.22.6 1 2007-07-24 [named-refused] 137.65.1.1 1 2007-07-24 [named-refused] 137.65.1.2 6 2007-07-24 [named-refused] 148.160.29.6 2 2007-07-24 [named-refused] 155.101.98.155 2 2007-07-24 [named-refused] 155.101.98.156 1 2007-07-24 [named-refused] 165.230.69.67 1 2007-07-24 [named-refused] 165.230.81.231 1 2007-07-24 [named-refused] 165.230.84.227 1 2007-07-24 [named-refused] 165.230.95.119 3 2007-07-24 [named-refused] 165.230.95.90 2 2007-07-24 [named-refused] 204.127.192.82 2 2007-07-24 [named-refused] 204.127.192.85 2 2007-07-24 [named-refused] 204.127.193.31 1 2007-07-24 [named-refused] 204.127.193.32 1 2007-07-24 [named-refused] 204.127.193.33 1 2007-07-24 [named-refused] 204.127.193.36 1 2007-07-24 [named-refused] 204.127.200.81 1 2007-07-24 [named-refused] 204.127.200.82 1 2007-07-24 [named-refused] 204.127.200.83 2 2007-07-24 [named-refused] 204.127.200.84 1 2007-07-24 [named-refused] 204.127.201.29 1 2007-07-24 [named-refused] 204.127.201.31 1 2007-07-24 [named-refused] 204.127.201.32 1 2007-07-24 [named-refused] 204.127.201.33 1 2007-07-24 [named-refused] 204.127.201.35 1 2007-07-24 [named-refused] 204.127.201.36 1 2007-07-24 [named-refused] 216.148.226.32 1 2007-07-24 [named-refused] 216.148.226.33 1 2007-07-24 [named-refused] 216.148.226.34 1 2007-07-24 [named-refused] 216.148.226.36 1 2007-07-24 [named-refused] 216.148.227.153 3 2007-07-24 [named-refused] 63.240.77.32 1 2007-07-24 [named-refused] 63.240.77.81 1 2007-07-24 [named-refused] 63.240.77.85 1 2007-07-24 [named-refused] 65.110.190.249 1 2007-07-24 [ssh-iptables] 222.107.187.2 1 2007-07-25 [ssh-iptables] 200.61.47.165 1 2007-07-25 [ssh-iptables] 213.176.96.5 1 2007-07-25 [ssh-iptables] 61.185.220.249 1 2007-07-26 [ssh-iptables] 61.200.49.40 1 2007-07-27 [ssh-iptables] 202.172.229.16 1 2007-07-27 [ssh-iptables] 61.172.200.150 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Richard Creighton wrote:
Jul 24 09:22:05 raid5 named[3935]: client 195.135.220.2#32768: query 'ns1.ricreig.com/AAAA/IN' denied Jul 24 09:22:05 raid5 named[3935]: client 195.135.220.2#32768: query 'ns2.ricreig.com/AAAA/IN' denied Jul 24 09:22:05 raid5 named[3935]: client 195.135.221.2#32768: query 'ns1.ricreig.com/AAAA/IN' denied Jul 24 09:22:05 raid5 named[3935]: client 195.135.221.2#32768: query 'ns2.ricreig.com/AAAA/IN' denied Jul 24 09:22:06 raid5 named[3935]: client 195.135.220.15#32768: query 'ns1.ricreig.com/AAAA/IN' denied Jul 24 09:22:06 raid5 named[3935]: client 195.135.220.15#32768: query 'ns2.ricreig.com/AAAA/IN' denied Jul 24 09:22:06 raid5 named[3935]: client 195.135.220.15#32768: query 'ns1.ricreig.com/AAAA/IN' denied Jul 24 09:22:06 raid5 named[3935]: client 195.135.220.15#32768: query 'ns2.ricreig.com/AAAA/IN' denied
195.135.220.2 is a SUSE name or mail-server or both. 195.135.221.2 is a SUSE name server. 195.135.220.15 is a SUSE name server. Why are you refusing that lookup? (I'm assuming 'ricreig.com' is your domain). With your ban, you've prevented people from doing: "dig @ns2.ricreig.com. ns1.ricreig.com. AAAA" It's your choice of course .... /Per Jessen, Zürich -- http://www.spamchek.com/ - your spam is our business. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Per Jessen wrote:
Richard Creighton wrote:
Jul 24 09:22:05 raid5 named[3935]: client 195.135.220.2#32768: query 'ns1.ricreig.com/AAAA/IN' denied Jul 24 09:22:05 raid5 named[3935]: client 195.135.220.2#32768: query 'ns2.ricreig.com/AAAA/IN' denied Jul 24 09:22:05 raid5 named[3935]: client 195.135.221.2#32768: query 'ns1.ricreig.com/AAAA/IN' denied Jul 24 09:22:05 raid5 named[3935]: client 195.135.221.2#32768: query 'ns2.ricreig.com/AAAA/IN' denied Jul 24 09:22:06 raid5 named[3935]: client 195.135.220.15#32768: query 'ns1.ricreig.com/AAAA/IN' denied Jul 24 09:22:06 raid5 named[3935]: client 195.135.220.15#32768: query 'ns2.ricreig.com/AAAA/IN' denied Jul 24 09:22:06 raid5 named[3935]: client 195.135.220.15#32768: query 'ns1.ricreig.com/AAAA/IN' denied Jul 24 09:22:06 raid5 named[3935]: client 195.135.220.15#32768: query 'ns2.ricreig.com/AAAA/IN' denied
195.135.220.2 is a SUSE name or mail-server or both. 195.135.221.2 is a SUSE name server. 195.135.220.15 is a SUSE name server.
Why are you refusing that lookup? (I'm assuming 'ricreig.com' is your domain).
With your ban, you've prevented people from doing:
"dig @ns2.ricreig.com. ns1.ricreig.com. AAAA"
It's your choice of course ....
/Per Jessen, Zürich
Ouch! If this is hosting the authorative master zone for the domain this means you may have inadvertently broken your domain. I am not certain this is a choice in this case... I think it is possible to configure the DNS to act as a cache forwarder for local workstations, and to reply to requests for info about ricreig.com from external locations. It should also be possible to configure the logs so that the denied requests are kept in a separate log... While your original post indicated that you where more concerned about log sizes, you did not indicate that you were holding your own domain info. - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGrFFRasN0sSnLmgIRAr2XAJ0QuWWIrNoAnMLfK88g5+HIVWGRdgCePTmf HgWOc3PTmBfghrJRDJn1fxE= =BI62 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
G T Smith wrote:
I think it is possible to configure the DNS to act as a cache forwarder for local workstations, and to reply to requests for info about ricreig.com from external locations.
Certainly. That is a perfectly normal configuration.
It should also be possible to configure the logs so that the denied requests are kept in a separate log...
I think so too, although I haven't looked at it. I just don't see it as much of a problem. /Per Jessen, Zürich -- http://www.spamchek.com/ - your spam is our business. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
G T Smith wrote:
Ouch! If this is hosting the authorative master zone for the domain this means you may have inadvertently broken your domain. I am not certain this is a choice in this case...
I think it is possible to configure the DNS to act as a cache forwarder for local workstations, and to reply to requests for info about ricreig.com from external locations. It should also be possible to configure the logs so that the denied requests are kept in a separate log...
The DNSStuff.com report shows the outside world can get the records, including reverse DNS info. The log exerpt was a bad choice where I had temporarily closed the DNS to the outside. I am not concerned about the size of the log, I know several ways to erase files :) What I am concerned about is DNS security. I have read several whitepapers on the subject where DNS servers are under attack from script-kiddies so slowly, but surely I will be converting to a split DNS topography where there is a public side and a private side but in both cases, detecting the attack and dynamically responding to it is a desirable goal. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Richard Creighton wrote:
G T Smith wrote:
Ouch! If this is hosting the authorative master zone for the domain this means you may have inadvertently broken your domain. I am not certain this is a choice in this case...
<snip>
The DNSStuff.com report shows the outside world can get the records, including reverse DNS info. The log exerpt was a bad choice where I had temporarily closed the DNS to the outside. I am not concerned about the size of the log, I know several ways to erase files :) What I am concerned about is DNS security. I have read several whitepapers on the subject where DNS servers are under attack from script-kiddies so slowly, but surely I will be converting to a split DNS topography where there is a public side and a private side but in both cases, detecting the attack and dynamically responding to it is a desirable goal.
Point taken... I suspect that because you were effectively acting as a open forwarder for a while your DNS may have been identified as good vector for generating attacks on third parties. I think you may find one of two things may happen now the attackers will go away, or they may get really p***d and try and blow you out of the water (network... whatever).... Hopefully the former, if latter grab hard hat and duck :-) But there is a good point in that anyone running an externally available DNS that they should look at their query and forwarding configuration. - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD4DBQFGrHB+asN0sSnLmgIRAg8fAJiG99is5lnTF6qRpsQONHzl5PBWAKDqyRZs 9HzgVMpdEfJKhuJqg6MFkQ== =C1Zt -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
G T Smith wrote: <snip>
The DNSStuff.com report shows the outside world can get the records, including reverse DNS info. The log exerpt was a bad choice where I had temporarily closed the DNS to the outside. I am not concerned about the size of the log, I know several ways to erase files :) What I am concerned about is DNS security. I have read several whitepapers on the subject where DNS servers are under attack from script-kiddies so slowly, but surely I will be converting to a split DNS topography where there is a public side and a private side but in both cases, detecting the attack and dynamically responding to it is a desirable goal.
Point taken...
I suspect that because you were effectively acting as a open forwarder for a while your DNS may have been identified as good vector for generating attacks on third parties. I think you may find one of two things may happen now the attackers will go away, or they may get really p***d and try and blow you out of the water (network... whatever)....
Hopefully the former, if latter grab hard hat and duck :-)
But there is a good point in that anyone running an externally available DNS that they should look at their query and forwarding configuration.
Yes and in my original post, I was touting the virtues of a tool called 'fail2ban' which has worked wonders in reducing to near zero undesired access/attempted accesses on my systems on several of my servers including sshd and ftpd and with proper filters, several other commonly used daemons that script-kiddies use to try to break into systems. I happen to have a small LAN consisting of 4 machines, but I don't want people trashing it just for their jollies, or using it to facillitate trashing someone elses machines. Thus, while my security certainly is not perfect, I keep trying and tools like 'fail2ban' are quite useful. It is a testament that even 'naked', SUSE Linux is pretty secure but that doesn't mean we should sit back on our laurels and assume that it can't be cracked. So, even if you don't use a DNS server, if you use SSHd and need/want to use it from the external network, ie, from work or something, then 'fail2ban' is very effective there also. Thanks for your feedback. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Per Jessen wrote:
Richard Creighton wrote:
Jul 24 09:22:05 raid5 named[3935]: client 195.135.220.2#32768: query 'ns1.ricreig.com/AAAA/IN' denied Jul 24 09:22:05 raid5 named[3935]: client 195.135.220.2#32768: query 'ns2.ricreig.com/AAAA/IN' denied Jul 24 09:22:05 raid5 named[3935]: client 195.135.221.2#32768: query 'ns1.ricreig.com/AAAA/IN' denied Jul 24 09:22:05 raid5 named[3935]: client 195.135.221.2#32768: query 'ns2.ricreig.com/AAAA/IN' denied Jul 24 09:22:06 raid5 named[3935]: client 195.135.220.15#32768: query 'ns1.ricreig.com/AAAA/IN' denied Jul 24 09:22:06 raid5 named[3935]: client 195.135.220.15#32768: query 'ns2.ricreig.com/AAAA/IN' denied Jul 24 09:22:06 raid5 named[3935]: client 195.135.220.15#32768: query 'ns1.ricreig.com/AAAA/IN' denied Jul 24 09:22:06 raid5 named[3935]: client 195.135.220.15#32768: query 'ns2.ricreig.com/AAAA/IN' denied
195.135.220.2 is a SUSE name or mail-server or both. 195.135.221.2 is a SUSE name server. 195.135.220.15 is a SUSE name server.
Why are you refusing that lookup? (I'm assuming 'ricreig.com' is your domain).
With your ban, you've prevented people from doing:
"dig @ns2.ricreig.com. ns1.ricreig.com. AAAA"
It's your choice of course ....
Bad choice of log exerpt....I have thousands of NON NS non MS queries and yes ricreig.com is my domain and I limit forwarded queries from out of localnet with 'options allow-recursion { localnet; }; ' in named.conf. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Richard Creighton wrote:
Bad choice of log exerpt....I have thousands of NON NS non MS queries and yes ricreig.com is my domain and I limit forwarded queries from out of localnet with 'options allow-recursion { localnet; }; ' in named.conf.
But you have also prevented me from doing this: "dig @ns2.ricreig.com. ns1.ricreig.com. AAAA" ; <<>> DiG 9.3.2 <<>> @ns2.ricreig.com. ns1.ricreig.com. AAAA ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 50945 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ns1.ricreig.com. IN AAAA ;; Query time: 152 msec ;; SERVER: 70.46.31.228#53(70.46.31.228) ;; WHEN: Sun Jul 29 14:31:49 2007 ;; MSG SIZE rcvd: 33 which I still think is odd - especially as you allow that query on ns1.ricreig.com ? /Per Jessen, Zürich -- http://www.spamchek.com/ - your spam is our business. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Per Jessen wrote:
Richard Creighton wrote:
Bad choice of log exerpt....I have thousands of NON NS non MS queries and yes ricreig.com is my domain and I limit forwarded queries from out of localnet with 'options allow-recursion { localnet; }; ' in named.conf.
But you have also prevented me from doing this:
"dig @ns2.ricreig.com. ns1.ricreig.com. AAAA"
which I still think is odd - especially as you allow that query on ns1.ricreig.com ?
I'm working on that server at the moment so to prevent bad data getting out, I've disabled external access for the moment. The master is still accessable to the world.... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Richard Creighton wrote:
If you run a DNS server on your system you probably have been plagued with external sites trying to forward queries through your DNS server.
Nope, can't say I have. I doubt if anyone else really have. Anyway, I took a look at some of my nameserver logfiles from 2006.10.18 to 2006.11.03 - I happened to have logging active, although I normally don't. Excluding all of my own systems' queries, I have 96233 queries over that time. Not a single one for a "foreign" domain.
Because it is so effective and because a lot of SUSE users do use SSHd and DNS and experience worms and attacks, I want to document the effectiveness of fail2ban in solving the problem we face when we run those server/demons. I, for one, have my machine back!
I'm not sure what it is you have set up, but I think you may well have shot yourself in the foot. It sounds like you're rejecting perfectly legitimate queries. /Per Jessen, Zürich -- http://www.spamchek.com/ - your spam is our business. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (3)
-
G T Smith -
Per Jessen -
Richard Creighton