Ali cloud I built for personal use dnsmasq server,DNS is used to make pollution-free,The recent disclosure of the IP,Sure enough, it was attacked - is actually being used DNS amplification attacks。
Since dnsmasq itself is not designed to provide external DNS service,So it is for security profile is not a lot (no!),But it's very easy to configure Resolution Policy (DNS resolution, such as Chinese white list),So I had the basis of,Plus a front-end to do security Bind9。
Then,Today we take a look in the end how to do security configuration Bind9。
Bind9 own security configuration
Bind9 itself supports a number of security policies,We do it well,We have been able to make very robust DNS:
edit
/etc/bind/named.conf.options
,We add a custom policy:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 | options { directory "/var/cache/bind"; version "None of your business"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. forwarders { 127.0.0.1 port 5352; }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== // dnssec-validation auto; // recursion no; auth-nxdomain no; # conform to RFC1035 //listen-on-v6 { any; }; forward only; allow-query {any;}; allow-query-cache {any;}; dnssec-enable no; dnssec-validation no; rate-limit { ipv4-prefix-length 32; window 10; responses-per-second 25; errors-per-second 5; nxdomains-per-second 5; slip 2; }; }; |
Detailed explanation:
| version "None of your business"; |
Hide Bind9 version information,Prevent hacker attacks against your Bind9 version loophole。
| forwarders { 127.0.0.1 port 5352; }; |
The message is forwarded to resolve open Bind9,Like dnsmasq as,Let Bind9 able to get up and not resolve on their own to resolve the root,You can avoid polluted (I here to resolve the local dnsmasq)
| forward only; allow-query {any;}; allow-query-cache {any;}; |
Only allow forwarding,Disable root parsing,External open simultaneously resolves and caches。
| dnssec-enable no; dnssec-validation no; |
Close the Security Configuration,Because I want to be forwarded up to dnsmasq,The response of the former non-authoritative answer,So let Bind9 accept non-authoritative answer,It is necessary to close。You do not use the words do not have to shut。
When a domain name in the query,You may see a prompt "non-authoritative answer," the,The prompt indicates that you have requested domain name does not use DNS query server that you currently use。
| rate-limit { ipv4-prefix-length 32; window 10; responses-per-second 25; errors-per-second 5; nxdomains-per-second 5; slip 2; }; |
Speed limit for each IP,If the request exceeds per second 25 A,Will no longer respond to direct loss。
effect
Thus,You should be able at
/where/log/syslog
We saw a lot of overrun drop recorded,but,even so,vps still flow away like water,So,We also need to use third-party tools to deal with these IP。
Remember to restart the service
service bind9 restart
Use Fail2ban automatically block hacker IP
Yes, If you've read my VPS then you should buy a spare safety measures this article,Vps that your tool should have installed,It defaults have been able to run well,But give Bind9 use,We will continue to customize some。
Custom Bind9 compatible Fail2ban
Bind9 default and does not generate a separate log,We need to put the error log to record output for Fail2ban,So edit
/etc/bind/named.conf
,Another line from the end of the file insert the following statement:
| logging { channel query_log { file "security.log" versions 3 size 30m; severity info; print-time yes; }; category default { query_log; }; }; |
This is redirected to the default log Bind9
/where/cache/bind/security.log
Size remains 30M
If you use this time
tail -f /where/cache/bind/security.log
View,We will see a lot of records like this:
| 23-Apr-2016 18:44:08.560 client 94.254.209.48#80 (nhl.msk.su): rate limit drop response to 94.254.209.48/32 for nhl.msk.su IN ANY (0000640d) 23-Apr-2016 18:44:08.589 client 94.254.209.48#80 (nhl.msk.su): rate limit slip response to 94.254.209.48/32 for nhl.msk.su IN ANY (0000640d) 23-Apr-2016 18:44:08.607 client 94.254.209.48#80 (nhl.msk.su): rate limit drop response to 94.254.209.48/32 for nhl.msk.su IN ANY (0000640d) 23-Apr-2016 18:44:08.695 client 94.254.209.48#80 (nhl.msk.su): rate limit slip response to 94.254.209.48/32 for nhl.msk.su IN ANY (0000640d) 23-Apr-2016 18:44:08.696 client 94.254.209.48#80 (nhl.msk.su): rate limit drop response to 94.254.209.48/32 for nhl.msk.su IN ANY (0000640d) 23-Apr-2016 18:44:08.752 client 94.254.209.48#80 (nhl.msk.su): rate limit slip response to 94.254.209.48/32 for nhl.msk.su IN ANY (0000640d) 23-Apr-2016 18:44:08.844 client 94.254.209.48#80 (nhl.msk.su): rate limit drop response to 94.254.209.48/32 for nhl.msk.su IN ANY (0000640d) 23-Apr-2016 18:44:08.950 client 94.254.209.48#80 (nhl.msk.su): rate limit slip response to 94.254.209.48/32 for nhl.msk.su IN ANY (0000640d) 23-Apr-2016 18:44:09.009 client 94.254.209.48#80 (nhl.msk.su): rate limit drop response to 94.254.209.48/32 for nhl.msk.su IN ANY (0000640d) 23-Apr-2016 18:44:09.015 client 94.254.209.48#80 (nhl.msk.su): rate limit slip response to 94.254.209.48/32 for nhl.msk.su IN ANY (0000640d) 23-Apr-2016 18:44:09.112 client 94.254.209.48#80 (nhl.msk.su): rate limit drop response to 94.254.209.48/32 for nhl.msk.su IN ANY (0000640d) 23-Apr-2016 18:44:09.117 client 94.254.209.48#80 (nhl.msk.su): rate limit slip response to 94.254.209.48/32 for nhl.msk.su IN ANY (0000640d) |
Obviously,Now, some people reflected in the use of my DNS attack,Next, we have to get rid of these IP configuration Fail2ban。
Let Fail2ban into force on Bind9
In fact Fail2ban native support of Bind9,And even its list has been built - but that strategy and we do not quite match expectations,Have their own change to change。
Edit Filter Configuration
edit
/etc/fail2ban/jail.conf
file,Find Bind9 configuration section in the inside,The default is as follows:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | # These jails block attacks against named (bind9). By default, logging is off # with bind9 installation. You will need something like this: # # logging { # channel security_file { # file "/var/log/named/security.log" versions 3 size 30m; # severity dynamic; # print-time yes; # }; # category security { # security_file; # }; # }; # # in your named.conf to provide proper logging # !!! WARNING !!! # Since UDP is connection-less protocol, spoofing of IP and imitation # of illegal actions is way too simple. Thus enabling of this filter # might provide an easy way for implementing a DoS against a chosen # victim. See # http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html # Please DO NOT USE this jail unless you know what you are doing. #[named-refused-udp] …… [named-refused-tcp] …… |
We gave it to change to change,udp and tcp enabled:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | [named-refused-udp] enabled = true port = domain,953 protocol = udp filter = named-refused logpath = /var/cache/bind/security.log findtime = 1 maxretry = 5 action = iptables-multiport[name=Named, port=53, protocol=udp] [named-refused-tcp] enabled = true port = domain,953 protocol = tcp filter = named-refused logpath = /var/cache/bind/security.log findtime = 1 maxretry = 5 action = iptables-multiport[name=Named, port=53, protocol=tcp] |
The meaning here is that once found 5 times in 1 second record,The corresponding IP will be added to the blacklist,The default time is 3600 seconds。But do not worry,This record is the record drop,Not a normal query records。
Modify filtering rules
Next we look at the default rule change,The default rule is to detect the attack - and we are to be detected being used to attack ...... edit
/etc/fail2ban/filter.d/named-refused.conf
file,Find the following lines:
| failregex = ^%(__line_prefix)s(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$ ^%(__line_prefix)s(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: zone transfer '\S+/AXFR/\w+' denied\s*$ ^%(__line_prefix)s(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$ |
To:
| failregex = <HOST>#\S+( \([\S.]+\))?\: rate limit drop |
Restart Service
Use the command
service fail2ban restart
To restart the service,This time using the command to view the status of:
| :~# fail2ban-client status named-refused-udp Status for the jail: named-refused-udp |- filter | |- File list: /var/cache/bind/security.log | |- Currently failed: 0 | - Total failed: 9 - action |- Currently banned: 1 | - IP list: 94.254.209.48 - Total banned: 1 |
You see,Has caught up a。
Summary
In short,Toss down,We get the following harvest:Bind9 can be restricted to a single IP requests per second (you can then be modified according to the needs),Once an IP server within one second and then the number of requests exceeds the limit,It will be recorded and discarded request,If more than five times over,It will blacklisted denied by the firewall (other display destination unreachable)。
A bit of discussion about UDP
As you can see,In Fail2ban profile which also indicate a very dangerous policy for UDP,Because hackers can easily forge a different address,This may be used to exploit your rules malicious blocking certain IP ,If your server this happen,You'll need to turn off of the policy for the UDP。
Không có nhận xét nào:
Đăng nhận xét