Iptables-Fail2ban处理bind 非法***

 早上发现DNS流量有些异常，查了query.log日志如下:

9-Apr-2013 13:49:33.418 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)

09-Apr-2013 13:49:33.475 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.487 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.516 queries: info: client 70.39.93.72#49940: view other_user: query: isc.org IN ANY +ED (163.177.24.74)
09-Apr-2013 13:49:33.557 queries: info: client 185.12.119.16#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.588 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.657 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.663 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.758 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.802 queries: info: client 70.39.93.72#49940: view other_user: query: isc.org IN ANY +ED (163.177.24.74)
09-Apr-2013 13:49:33.824 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.848 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)

处理方法:

添加iptables规则(需要添加connlimit模块),限制单IP并发请求数:

-A INPUT -p tcp -m tcp --dport 53 --tcp-flags SYN,RST,ACK SYN -m limit --limit 20/sec --limit-burst 200 -j DROP
-A INPUT -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -m connlimit --connlimit-above 5 --connlimit-mask 32 -j DROP
-A INPUT -p tcp -m tcp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -m connlimit --connlimit-above 5 --connlimit-mask 32 -j DROP

一、首先检查bind本身安全，利用bind添加acl,同时限制递归查询，添加黑名单。

acl "mynetwork" {
183.61.81.0/25;
119.38.123.0/25;
180.60.116.0/25;
163.172.24.0/25;
127.0.0.1/32;
};
acl "blackhats" {
108.162.204.88;
184.168.72.113;
93.170.127.96;
72.46.155.84;
178.33.217.2;
72.46.132.122;
78.159.111.197;
192.96.200.41;
};

全局设置变更：

allow-query { mynetwork; };  #这里设置自己网络，zone里面可以设置成any

allow-recursion { mynetwork; };   #针对递归进行处理
#allow-query-cache {mynetwork;};  #针对查询缓存处理

        version                     "hello babay"; #隐藏版本

        edns-udp-size 1024;  # 设置udp消息大小，单位字节

        max-udp-size 4096; #设置最大udp消息大小，单位字节

    blackhole {blackhats;};#设置黑名单

二、利用fail2ban过滤日志,调用iptables限制指定ip地址

下载fail2ban: https://github.com/fail2ban

或http://sourceforge.net/projects/fail2ban/

我这里用的是fail2ban-0.8.4，解压包后

执行python setup.py install安装完成。

/etc/fail2ban/jail.conf     过滤相关服务配置文件

/etc/fail2ban/fail2ban.conf   主配置文件，设置sock和日志文件

/etc/fail2ban/filter.d/   相应服务的过滤规则文件路径

/etc/fail2ban/action.d/  相应服务的动作配置文件路径

jail.conf添加指定服务参数:

[named-refused-udp]
enabled  = true
filter   = named-refused  #指定过滤规则
action   = iptables-multiport[name=Named, port=53, protocol=udp]
           sendmail-whois[name=Named, [email protected]]
logpath  = /opt/soft/bind/log/query.log  #指定过滤日志
bantime  = 3600 #封锁时间,单位秒,
findtime  = 100  #100秒内超过次数屏蔽,单位秒
maxretry = 3   #最大尝试次数
ignoreip = 127.0.0.1

[named-refused-tcp]
enabled  = true
filter   = named-refused
action   = iptables-multiport[name=Named, port=53, protocol=tcp]
           sendmail-whois[name=Named, [email protected]]
logpath  = /opt/soft/bind/log/query.log
bantime  = 360000
findtime  = 100
maxretry = 3
ignoreip = 127.0.0.1

添加过滤规则:named-refused.conf

# Fail2Ban configuration file for named (bind9). Trying to generalize the
#          structure which is general to capture general patterns in log
#          lines to cover different configurations/distributions
#
# $Revision: 730 $
#

[Definition]

#
# Daemon name
_daemon=named

#
# Shortcuts for easier comprehension of the failregex
__pid_re=(?:\[\d+\])
__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
#       hostname       daemon_id         spaces
# this can be optional (for instance if we match named native log files)
__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
failregex = %(__line_prefix)sclient #.+: query: (baidu.com|isc.org) IN ANY \+ED*

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

执行动作文件#egrep -v '^#|^$' /etc/fail2ban/action.d/iptables-multiport.conf 

[Definition]
actionstart = iptables -N fail2ban-
              iptables -A fail2ban- -j RETURN
              iptables -I INPUT -p  -m multiport --dports  -j fail2ban-
actionstop = iptables -D INPUT -p  -m multiport --dports  -j fail2ban-
             iptables -F fail2ban-
             iptables -X fail2ban-
actioncheck = iptables -n -L INPUT | grep -q fail2ban-
actionban = iptables -I fail2ban- 1 -s  -j DROP
actionunban = iptables -D fail2ban- -s  -j DROP
[Init]
name = default
port = ssh
protocol = tcp

fail2ban-client  start或fail2ban-server 启动服务

我们看下效果吧，已经有拉黑的IP了。

#fail2ban-client  status named-ddos-tcp
Status for the jail: named-ddos-tcp
|- filter
|  |- File list: /opt/soft/bind/log/query.log 
|  |- Currently failed: 5
|  `- Total failed: 299
`- action
   |- Currently banned: 5
   |  `- IP list: 107.20.206.69 94.75.243.137 61.147.112.29 178.32.244.170 61.147.112.32   (国外的IP已经拉黑啦)
   `- Total banned: 15

Chain OUTPUT (policy ACCEPT 163M packets, 203G bytes)
 pkts bytes target     prot opt in     out     source               destination         

Iptables的也已经自动添加了
Chain fail2ban-Named (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    9   576 DROP       all  --  *      *       174.142.207.122      0.0.0.0/0           
  241 15424 DROP       all  --  *      *       61.147.120.25        0.0.0.0/0           
   27  1728 DROP       all  --  *      *       61.147.112.32        0.0.0.0/0           
  115  7360 DROP       all  --  *      *       178.32.244.170       0.0.0.0/0           
  119  7616 DROP       all  --  *      *       61.147.112.29        0.0.0.0/0           
   51  3264 DROP       all  --  *      *       94.75.243.137        0.0.0.0/0           
 2206  141K DROP       all  --  *      *       107.20.206.69        0.0.0.0/0           
12829  833K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0    

查阅资料地址:

http://ftp.isc.org/isc/bind9/cur/9.8/doc/arm/Bv9ARM.html

http://www.isc.org/software/bind/documentation

http://www.minihowto.eu/protectio-against-isc-org-any-attack-dns-attack-isc-org-any-query

http://www.bergercity.de/tag/bind/

http://sourceforge.net/projects/fail2ban/

http://www.fail2ban.org/wiki/index.php/HOWTO_fail2ban_0.7.x#Iptables_action_setup