Discussion:
[Pdns-users] protect using fail2ban
Steffan Noord
2014-01-30 10:07:54 UTC
Permalink
Hello list,

Im new to fail2ban and want to secure pdns-server3.1
I found a treat with

in /etc/fail2ban/filter.d/pdns.conf:
======
[Definition]
failregex = pdns(?:\[\d{1,5}\])?: Not authoritative for '.*',.*sending
servfail to <HOST> \(recursion was desired\)
ignoreregex =
======

jail.conf:

========
[pdns-qdomain]
enabled = true
#port = domain,8053
protocol = udp
filter = pdns
logpath = /var/log/daemon.log
bantime = 259200
maxretry = 2
========

But when starting fail2ban im getting a error:

ConfigParser.ParsingError: File contains parsing errors: /etc/fail2ban/filter.d/pdns.conf
[line 3]: 'servfail to <HOST> \\(recursion was desired\\) \n'

Can someone help me setup fail2ban ?
Thanxs

Steffan
Aki Tuomi
2014-01-30 10:51:31 UTC
Permalink
Post by Steffan Noord
Hello list,
Im new to fail2ban and want to secure pdns-server3.1
I found a treat with
======
[Definition]
failregex = pdns(?:\[\d{1,5}\])?: Not authoritative for '.*',.*sending
servfail to <HOST> \(recursion was desired\)
ignoreregex =
======
========
[pdns-qdomain]
enabled = true
#port = domain,8053
protocol = udp
filter = pdns
logpath = /var/log/daemon.log
bantime = 259200
maxretry = 2
========
ConfigParser.ParsingError: File contains parsing errors: /etc/fail2ban/filter.d/pdns.conf
[line 3]: 'servfail to <HOST> \\(recursion was desired\\) \n'
Can someone help me setup fail2ban ?
Thanxs
Steffan
Hi Steffan,

Are you absolutely sure you know what you are doing? This has great potential in locking out
completely legimate users. Why would you want to do this?

Your problem, however, is regular expression related. You might want to remove the line break? =)

Aki Tuomi
Steffan Noord
2014-01-30 11:00:21 UTC
Permalink
In the past i had a dns flood so im trying to setup some firewall options.
I found this on the list.
But you say that is not the right way to do ?


-----Oorspronkelijk bericht-----
Van: Aki Tuomi [mailto:***@youzen.ext.b2.fi]
Verzonden: donderdag 30 januari 2014 11:52
Aan: Steffan Noord
CC: pdns-***@mailman.powerdns.com
Onderwerp: Re: [Pdns-users] protect using fail2ban
Post by Steffan Noord
Hello list,
Im new to fail2ban and want to secure pdns-server3.1 I found a treat
with
======
[Definition]
failregex = pdns(?:\[\d{1,5}\])?: Not authoritative for '.*',.*sending
servfail to <HOST> \(recursion was desired\) ignoreregex = ======
========
[pdns-qdomain]
enabled = true
#port = domain,8053
protocol = udp
filter = pdns
logpath = /var/log/daemon.log
bantime = 259200
maxretry = 2
========
ConfigParser.ParsingError: File contains parsing errors: /etc/fail2ban/filter.d/pdns.conf
[line 3]: 'servfail to <HOST> \\(recursion was desired\\) \n'
Can someone help me setup fail2ban ?
Thanxs
Steffan
Hi Steffan,

Are you absolutely sure you know what you are doing? This has great potential in locking out completely legimate users. Why would you want to do this?

Your problem, however, is regular expression related. You might want to remove the line break? =)

Aki Tuomi
Andreas Tauscher
2014-01-30 16:19:46 UTC
Permalink
Post by Steffan Noord
In the past i had a dns flood so im trying to setup some firewall options.
I found this on the list.
But you say that is not the right way to do ?
As Aki Tuomi wrote: Are you absolutely sure you know what you are doing?

Most of DNS traffic is UDP. The sender address in such an flood might be
faked or normally is faked. By blocking it automatic you open the
possibility of an DOS attack to your legitimated users.

Andreas
John WH Smith
2014-01-30 17:44:22 UTC
Permalink
I wouldn't rule out the possibility to block (legitimate) users even out
of the DoS context. DNS are probably the most requested network
component on your machine : it wouldn't be unusual for the same IP to
process N>10 DNS requests in a matter of seconds (bots, opening browser
tabs, connecting mail servers relying on the domain, and so on). That's
part of the reasons for using UDP in DNS transactions.

Now about the DoS risk : it might take some power to bring down a DNS
server, especially if you consider the DNS secondary servers. With 2, 3
or 4 servers registered for your domain, it takes 2/3/4 times as much
power to make the whole service unavailable... Someone with such power
would probably use it to crush your bandwidth, not your application
layer... (not to mention the spoofing problem mentioned by Andreas
Tauscher).

DoS attacks should be handled far before requests reach your server. You
may want to ask your provider about its installation before setting up
too restrictive/dangerous rules through something like fail2ban.
Post by Andreas Tauscher
Post by Steffan Noord
In the past i had a dns flood so im trying to setup some firewall options.
I found this on the list.
But you say that is not the right way to do ?
As Aki Tuomi wrote: Are you absolutely sure you know what you are doing?
Most of DNS traffic is UDP. The sender address in such an flood might be
faked or normally is faked. By blocking it automatic you open the
possibility of an DOS attack to your legitimated users.
Andreas
_______________________________________________
Pdns-users mailing list
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Steffan Noord
2014-01-31 08:44:14 UTC
Permalink
So conclusion
Do not use a firewall unless your under attack.
Then use a firewall to filter out the attacker and block him at the front
end.

Steffan

-----Oorspronkelijk bericht-----
Van: pdns-users-***@mailman.powerdns.com
[mailto:pdns-users-***@mailman.powerdns.com] Namens John WH Smith
Verzonden: donderdag 30 januari 2014 18:44
Aan: pdns-***@mailman.powerdns.com
Onderwerp: Re: [Pdns-users] protect using fail2ban

I wouldn't rule out the possibility to block (legitimate) users even out of
the DoS context. DNS are probably the most requested network component on
your machine : it wouldn't be unusual for the same IP to process N>10 DNS
requests in a matter of seconds (bots, opening browser tabs, connecting mail
servers relying on the domain, and so on). That's part of the reasons for
using UDP in DNS transactions.

Now about the DoS risk : it might take some power to bring down a DNS
server, especially if you consider the DNS secondary servers. With 2, 3 or 4
servers registered for your domain, it takes 2/3/4 times as much power to
make the whole service unavailable... Someone with such power would probably
use it to crush your bandwidth, not your application layer... (not to
mention the spoofing problem mentioned by Andreas Tauscher).

DoS attacks should be handled far before requests reach your server. You may
want to ask your provider about its installation before setting up too
restrictive/dangerous rules through something like fail2ban.
Post by Andreas Tauscher
Post by Steffan Noord
In the past i had a dns flood so im trying to setup some firewall options.
I found this on the list.
But you say that is not the right way to do ?
As Aki Tuomi wrote: Are you absolutely sure you know what you are doing?
Most of DNS traffic is UDP. The sender address in such an flood might
be faked or normally is faked. By blocking it automatic you open the
possibility of an DOS attack to your legitimated users.
Andreas
_______________________________________________
Pdns-users mailing list
http://mailman.powerdns.com/mailman/listinfo/pdns-users
Continue reading on narkive:
Loading...