Hi, normally, i would not respond to a post like yours :) when people ask your dns server a question, they are not logging into your system. - so fail2ban is not the correct tool the correct answer is any of the below: you need to write a program or a script for example on a small single system - one that checks your logs and then adds an iptables rule to your firewall - larger systems/clusters simply customize bind or maybe rate limit connections (check your named.conf - rate limit) and/or a combination of these things - there are also many other ways to stop this (for example forward write to your routers (if you have routers) etc. hth Andre On Wed, 29 Aug 2018 20:40:16 -0400 Michael Galea via talk <talk@gtalug.org> wrote:
I am experiencing what I believe is a DNS amplification attack on my bind9 DNS server.
I'm seeing very of the following on different IPs 20:11:53.977254 IP 108.234.250.76.62926 > 69.265.222.253.53: 50679+ [1au] ANY? USADF.GOV. (38)
My server responds 20:11:53.977776 IP 69.265.222.253.53 > 108.234.250.76.62926: 50679 Refused- 0/0/1 (38)
I imagine the IPs are spoofed. I have installed fail2ban in order to address the problem. Various howtos detail how to configure bind to log to /var/log/named/security.log and setup fail2ban.
The security.log is filling nicely with lots of "29-Aug-2018 20:23:07.798 client @0x7fa1d013b990 66.69.234.170#29024 (USADF.GOV): query (cache) 'USADF.GOV/ANY/IN' denied" and fail2ban is indicating "Jail 'named-refused' started" but it never actually bans an IP.
2) I used fail2ban-regex to test the security.log line against fail2bans named-refused regex, but its doesn't match! So I have to conclude either debian bind9 changed the log output or fail2ban git it wrong.
I'm using the latest fail2ban from debian. Has anyone else got this to work?