- [Show pagesource]
- [Old revisions]
- [[unknown link type]]
- []
Popisu obranu proti utoku, ktery jsem nahodou dnes v noci detekoval.
Priznaky:
- podezrele plny conntrack dotazama do DNS
- podezrele velky tok z DNS serveru obsluhujiciho jen par domen
- v logu bindu (syslog) zadne zaznamy, kdyz ho mate spatne nastaveny
Me konkretne chybela options “recursion no”. Chybne jsem se domnival, ze vyrazenim povoleni rekurze je tato vyrazena. Neni.
// allow-recursion { any; };
Je treba napsat explicitne recursion no;
Logovani kvuli obrovskemu toku dat je treba presmerovat jinam. Navic se tim zbytecne nebude vycerpavat kapacita na centralnim remote-log serveru, kam se vsechny syslogy on-line posilaji.
logging {
category lame-servers { null; };
channel security_file {
file "/var/log/named/security.log" versions 3 size 30m;
severity dynamic;
print-time yes;
};
category security {
security_file;
};
};
Toto byl prvni krok k uspechu.
Druhy krok k uspechu
Priznaky utoku:
- log je uplne plny hlasek:
Jun 6 02:14:34 www named[22552]: client 199.229.230.62#25595: query (cache) './ANY/IN' denied Jun 6 02:14:34 www named[22552]: client 199.229.230.62#25595: query (cache) './ANY/IN' denied Jun 6 02:14:34 www named[22552]: client 199.229.230.62#25595: query (cache) './ANY/IN' denied Jun 6 02:14:34 www named[22552]: client 199.229.230.62#25595: query (cache) './ANY/IN' denied Jun 6 02:14:34 www named[22552]: client 199.229.230.62#25595: query (cache) './ANY/IN' denied Jun 6 02:14:34 www named[22552]: client 199.229.230.62#25595: query (cache) './ANY/IN' denied
zde opet perfektne zafunguje fail2ban s timto nastavenim:
[named-refused-udp] enabled = true port = domain,953 protocol = udp filter = named-refused logpath = /var/log/named/security.log [named-refused-tcp] enabled = true port = domain,953 protocol = tcp filter = named-refused logpath = /var/log/named/security.log
Po chvili se ve vypisu iptables zacne objevovat tucny seznam podobny tomuto:
dns:/etc/fail2ban# iptables -L -n [...] Chain fail2ban-named-refused-udp (1 references) target prot opt source destination DROP all -- 24.131.123.64 0.0.0.0/0 DROP all -- 69.246.154.178 0.0.0.0/0 DROP all -- 64.120.30.66 0.0.0.0/0 DROP all -- 76.186.226.253 0.0.0.0/0 DROP all -- 82.11.150.206 0.0.0.0/0 DROP all -- 142.136.203.131 0.0.0.0/0 DROP all -- 64.31.23.230 0.0.0.0/0 DROP all -- 185.5.174.200 0.0.0.0/0 DROP all -- 67.167.168.119 0.0.0.0/0 DROP all -- 50.23.74.93 0.0.0.0/0 DROP all -- 201.124.46.222 0.0.0.0/0 DROP all -- 24.189.209.41 0.0.0.0/0 DROP all -- 81.2.197.157 0.0.0.0/0 DROP all -- 37.5.92.17 0.0.0.0/0 DROP all -- 65.128.26.184 0.0.0.0/0 DROP all -- 68.55.173.3 0.0.0.0/0 DROP all -- 184.61.247.204 0.0.0.0/0 DROP all -- 99.233.205.66 0.0.0.0/0 DROP all -- 77.96.105.112 0.0.0.0/0 DROP all -- 189.228.237.69 0.0.0.0/0 DROP all -- 200.147.38.48 0.0.0.0/0 DROP all -- 200.221.11.116 0.0.0.0/0 DROP all -- 200.147.38.49 0.0.0.0/0 DROP all -- 200.147.6.35 0.0.0.0/0 DROP all -- 208.115.222.253 0.0.0.0/0 RETURN all -- 0.0.0.0/0 0.0.0.0/0
Bind9 notify
Bind DNS sends notify to all name servers expect itself and master nameserver in SOA.
notify yes;
sends notify to all name servers in RR (except itself and SOA master)
notify yes;
also-notify { x.x.x.x; y.y.y.y; };
sends notify to x.x.x.x, y.y.y.y and all name servers in RR (except itself and SOA master).
notify explicit;
also-notify { x.x.x.x; y.y.y.y; };
sends notify to just x.x.x.x, y.y.y.y
Upozorneni: takto nastaveny bind+fail2ban muze zpusobit DoS vlastniho serveru. UDP packety mohou prichazet s podvrzenou zdrojovou IP.