Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - logical

Pages: [1]
1
CSF Firewall / Re: Block denied bin/named queries
« on: April 12, 2020, 03:57:08 PM »
Hi Ej

Set the LF_BIND low initially to see if it would trigger a firewall block on those IP's (which it didn't) and do expect that due to Syslog3

Your comment about local recursion got me thinking, recursion *was* disabled but allow-query was set to  {any} (default setting I believe.

I have posted the options setup below

Thanks for the reply and do agree about those queries using some resource surely, firewall blocks are about 50 temp bans at any given time for port scanning (port 2210 typically) and a very slowly increase in perm bans (currently 53)
The server is pretty much a fresh install, hosts 2 domains and only my own code on there (laravel projects etc).
You also do right about banning China and I will be following suite very soon, presumably you use the Maxmind or similar in the csf.conf.

Regards

Chris

Code: [Select]
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file  "/var/named/data/named.recursing";
secroots-file   "/var/named/data/named.secroots";
allow-query     { any; }; <<I have just changed this to localhost (is a one server setup with 2 domains on it)
    version "unknown";

/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
   recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
   control to limit queries to your legitimate users. Failing to do so will
   cause your server to become part of large scale DNS amplification
   attacks. Implementing BCP38 within your network would greatly
   reduce such attack surface
*/
recursion no;

dnssec-enable yes;
dnssec-validation yes;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};


2
CSF Firewall / Block denied bin/named queries
« on: April 11, 2020, 06:02:48 PM »
Hi all,

my log files are getting to be many hundreds of MB on a frequent basis, after checking through them, there are 10's of thousands of entries like this
Apr 11 18:29:53 fsrv1 named[991]: client @0x7f6cd40a9060 211.144.10.105#27252 (ns2.gutepin.com): query (cache) 'ns2.gutepin.com/AAAA/IN' denied

I am running Restrict_Syslog level3, is there any way to get the firewall to block these IP addresses, have spent many hours today checking through settings etc but to no avail, a short extract is below.

Is this anything I should worry about, granted they probably cause very little server load BUT the size of the logs being generated and also that they are not good intention? should surely be blocked.

LF_BIND = "60" <<< did set this to 5 for testing but I suspect it is ignored due to the Syslog (any sensible way to enable it?)
LF_BIND_PERM = "1"

Thanks

Chris

Code: [Select]
Apr 11 18:29:47 fsrv1 named[991]: client @0x7f6cd40a9060 211.144.10.106#37140 (ns2.gutepin.com): query (cache) 'ns2.gutepin.com/AAAA/IN' denied
Apr 11 18:29:48 fsrv1 named[991]: client @0x7f6cd40a9060 211.144.10.106#46054 (gutepin.com): query (cache) 'gutepin.com/NS/IN' denied
Apr 11 18:29:48 fsrv1 named[991]: client @0x7f6cd40a9060 211.144.10.106#38211 (ns1.gutepin.com): query (cache) 'ns1.gutepin.com/AAAA/IN' denied
Apr 11 18:29:48 fsrv1 named[991]: client @0x7f6cd40a9060 211.144.10.106#10446 (ns2.gutepin.com): query (cache) 'ns2.gutepin.com/AAAA/IN' denied
Apr 11 18:29:48 fsrv1 named[991]: client @0x7f6cd40a9060 211.144.10.106#54154 (gutepin.com): query (cache) 'gutepin.com/NS/IN' denied
Apr 11 18:29:48 fsrv1 named[991]: client @0x7f6cd40a9060 211.144.10.106#54327 (ns2.gutepin.com): query (cache) 'ns2.gutepin.com/AAAA/IN' denied
Apr 11 18:29:48 fsrv1 named[991]: client @0x7f6cd40a9060 211.144.10.106#56504 (ns1.gutepin.com): query (cache) 'ns1.gutepin.com/AAAA/IN' denied
Apr 11 18:29:53 fsrv1 named[991]: client @0x7f6cd40a9060 211.144.10.105#64360 (gutepin.com): query (cache) 'gutepin.com/NS/IN' denied
Apr 11 18:29:53 fsrv1 named[991]: client @0x7f6cd40a9060 211.144.10.105#8109 (ns2.gutepin.com): query (cache) 'ns2.gutepin.com/AAAA/IN' denied
Apr 11 18:29:53 fsrv1 named[991]: client @0x7f6cd40a9060 211.144.10.105#14969 (ns1.gutepin.com): query (cache) 'ns1.gutepin.com/AAAA/IN' denied
Apr 11 18:29:53 fsrv1 named[991]: client @0x7f6cd40a9060 211.144.10.105#15857 (gutepin.com): query (cache) 'gutepin.com/NS/IN' denied
Apr 11 18:29:53 fsrv1 named[991]: client @0x7f6cd40a9060 211.144.10.105#27252 (ns2.gutepin.com): query (cache) 'ns2.gutepin.com/AAAA/IN' denied
Apr 11 18:29:53 fsrv1 named[991]: client @0x7f6cd40a9060 211.144.10.105#39212 (ns1.gutepin.com): query (cache) 'ns1.gutepin.com/AAAA/IN' denied
Apr 11 18:29:54 fsrv1 named[991]: client @0x7f6cd40a9060 211.144.10.105#10270 (ns1.gutepin.com): query (cache) 'ns1.gutepin.com/AAAA/IN' denied
Apr 11 18:29:54 fsrv1 named[991]: client @0x7f6cd40a9060 211.144.10.105#50582 (ns2.gutepin.com): query (cache) 'ns2.gutepin.com/AAAA/IN' denied
Apr 11 18:29:54 fsrv1 named[991]: client @0x7f6cd40a9060 211.144.10.105#12891 (gutepin.com): query (cache) 'gutepin.com/NS/IN' denied
Apr 11 18:29:55 fsrv1 named[991]: client @0x7f6cd40a9060 211.144.10.105#33580 (ns1.gutepin.com): query (cache) 'ns1.gutepin.com/AAAA/IN' denied
Apr 11 18:29:55 fsrv1 named[991]: client @0x7f6cd40a9060 211.144.10.105#56248 (ns2.gutepin.com): query (cache) 'ns2.gutepin.com/AAAA/IN' denied
Apr 11 18:29:57 fsrv1 named[991]: client @0x7f6cd40a9060 131.220.4.11#54902 (ichfolge.com): query (cache) 'ichfolge.com/A/IN' denied
Apr 11 18:29:57 fsrv1 named[991]: client @0x7f6cd40a9060 131.220.4.11#50540 (ns1.gutepin.com): query (cache) 'ns1.gutepin.com/AAAA/IN' denied
Apr 11 18:29:57 fsrv1 named[991]: client @0x7f6cd40a9060 131.220.4.11#50509 (ns2.gutepin.com): query (cache) 'ns2.gutepin.com/AAAA/IN' denied
Apr 11 18:29:57 fsrv1 named[991]: client @0x7f6cd40a9060 131.220.4.11#58602 (ns2.gutepin.com): query (cache) 'ns2.gutepin.com/AAAA/IN' denied
Apr 11 18:29:57 fsrv1 named[991]: client @0x7f6cd40a9060 131.220.4.11#52274 (ns1.gutepin.com): query (cache) 'ns1.gutepin.com/AAAA/IN' denied
Apr 11 18:29:57 fsrv1 named[991]: client @0x7f6cd40a9060 131.220.4.11#59709 (ns1.gutepin.com): query (cache) 'ns1.gutepin.com/AAAA/IN' denied
Apr 11 18:29:57 fsrv1 named[991]: client @0x7f6cd40a9060 131.220.4.11#64707 (ns2.gutepin.com): query (cache) 'ns2.gutepin.com/AAAA/IN' denied
Apr 11 18:29:57 fsrv1 named[991]: client @0x7f6cd40a9060 131.220.4.11#53013 (ns1.gutepin.com): query (cache) 'ns1.gutepin.com/AAAA/IN' denied
Apr 11 18:29:57 fsrv1 named[991]: client @0x7f6cd40a9060 20.187.1.135#57668 (www.ichfolge.com): query (cache) 'www.ichfolge.com/A/IN' denied
Apr 11 18:29:57 fsrv1 named[991]: client @0x7f6cd40a9060 20.187.1.135#57668 (www.ichfolge.com): query (cache) 'www.ichfolge.com/A/IN' denied
Apr 11 18:29:57 fsrv1 named[991]: client @0x7f6cd40a9060 20.187.1.135#57668 (www.ichfolge.com): query (cache) 'www.ichfolge.com/A/IN' denied
Apr 11 18:29:58 fsrv1 named[991]: client @0x7f6cd40a9060 131.220.4.11#58519 (ns2.gutepin.com): query (cache) 'ns2.gutepin.com/AAAA/IN' denied
Apr 11 18:29:58 fsrv1 named[991]: client @0x7f6cd40a9060 131.220.4.11#59158 (ns1.gutepin.com): query (cache) 'ns1.gutepin.com/AAAA/IN' denied

Pages: [1]