?早上發現DNS流量有些異常，查了query.log日志如下:

9-Apr-2013 13:49:33.418 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)

09-Apr-2013 13:49:33.475 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.487 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.516 queries: info: client 70.39.93.72#49940: view other_user: query: isc.org IN ANY +ED (163.177.24.74)
09-Apr-2013 13:49:33.557 queries: info: client 185.12.119.16#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.588 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.657 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.663 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.758 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.802 queries: info: client 70.39.93.72#49940: view other_user: query: isc.org IN ANY +ED (163.177.24.74)
09-Apr-2013 13:49:33.824 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.848 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)

處理方法:

添加iptables規則(需要添加connlimit模塊),限制單IP并發請求數:

-A?INPUT?-p?tcp?-m?tcp?--dport?53?--tcp-flags?SYN,RST,ACK?SYN?-m?limit?--limit?20/sec?--limit-burst?200?-j?DROP??

-A?INPUT?-p?udp?-m?udp?--dport?53?-m?state?--state?NEW,RELATED,ESTABLISHED?-m?connlimit?--connlimit-above?5?--connlimit-mask?32?-j?DROP??

-A?INPUT?-p?tcp?-m?tcp?--dport?53?-m?state?--state?NEW,RELATED,ESTABLISHED?-m?connlimit?--connlimit-above?5?--connlimit-mask?32?-j?DROP??

一、首先檢查bind本身安全，利用bind添加acl,同時限制遞歸查詢，添加黑名單。

acl?"mynetwork"?{?

183.61.81.0/25;?

119.38.123.0/25;?

180.60.116.0/25;?

163.172.24.0/25;?

127.0.0.1/32;?

};?

acl?"blackhats"?{?

108.162.204.88;?

184.168.72.113;?

93.170.127.96;?

72.46.155.84;?

178.33.217.2;?

72.46.132.122;?

78.159.111.197;?

192.96.200.41;?

};?

全局設置變更：

allow-query { mynetwork; }; ?#這里設置自己網絡，zone里面可以設置成any

allow-recursion { mynetwork; }; ? #針對遞歸進行處理
#allow-query-cache {mynetwork;}; ?#針對查詢緩存處理

? ? ? ? version ? ? ? ? ? ? ? ? ? ? "hello babay"; #隱藏版本

? ? ? ??edns-udp-size 1024; ?# 設置udp消息大小，單位字節

? ? ? ? max-udp-size 4096; #設置最大udp消息大小，單位字節

? ? blackhole {blackhats;};#設置黑名單

二、利用fail2ban過濾日志,調用iptables限制指定ip地址

下載fail2ban:?https://github.com/fail2ban

或http://sourceforge.net/projects/fail2ban/

我這里用的是fail2ban-0.8.4，解壓包后

執行python setup.py install安裝完成。

/etc/fail2ban/jail.conf ? ? 過濾相關服務配置文件

/etc/fail2ban/fail2ban.conf ? 主配置文件，設置sock和日志文件

/etc/fail2ban/filter.d/ ? 相應服務的過濾規則文件路徑

/etc/fail2ban/action.d/ ?相應服務的動作配置文件路徑

jail.conf添加指定服務參數:

[named-refused-udp]?

enabled??=?true?

filter???=?named-refused? #指定過濾規則

action???=?iptables-multiport[name=Named,?port=53,?protocol=udp]?

???????????sendmail-whois[name=Named,?dest=cecnck@gmail.com]?

logpath??=?/opt/soft/bind/log/query.log??#指定過濾日志

bantime??=?3600?#封鎖時間,單位秒,

findtime??=?100? #100秒內超過次數屏蔽,單位秒

maxretry?=?3? #最大嘗試次數

ignoreip?=?127.0.0.1?

?

[named-refused-tcp]?

enabled??=?true?

filter???=?named-refused?

action???=?iptables-multiport[name=Named,?port=53,?protocol=tcp]?

???????????sendmail-whois[name=Named,?dest=cecnck@gmail.com]?

logpath??=?/opt/soft/bind/log/query.log?

bantime??=?360000?

findtime??=?100?

maxretry?=?3?

ignoreip?=?127.0.0.1?

添加過濾規則:named-refused.conf

#?Fail2Ban?configuration?file?for?named?(bind9).?Trying?to?generalize?the?

#??????????structure?which?is?general?to?capture?general?patterns?in?log?

#??????????lines?to?cover?different?configurations/distributions?

#?

#?$Revision:?730?$?

#?

??

[Definition]?

??

#?

#?Daemon?name?

_daemon=named?

??

#?

#?Shortcuts?for?easier?comprehension?of?the?failregex?

__pid_re=(?:\[\d+\])?

__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:??

__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)?

#???????hostname???????daemon_id?????????spaces?

#?this?can?be?optional?(for?instance?if?we?match?named?native?log?files)?

__line_prefix=(?:\s\S+?%(__daemon_combs_re)s\s+)??

??

#?Option:?failregex?

#?Notes.:?regex?to?match?the?password?failures?messages?in?the?logfile.?

#?Values:?TEXT?

#?

failregex?=?%(__line_prefix)sclient?<HOST>#.+:?query:?(baidu.com|isc.org)?IN?ANY?\+ED*?

??

#?Option:??ignoreregex?

#?Notes.:??regex?to?ignore.?If?this?regex?matches,?the?line?is?ignored.?

#?Values:??TEXT?

#?

ignoreregex?=?

執行動作文件#egrep -v '^#|^$' /etc/fail2ban/action.d/iptables-multiport.conf?

[Definition]?

actionstart?=?iptables?-N?fail2ban-<name>?

??????????????iptables?-A?fail2ban-<name>?-j?RETURN?

??????????????iptables?-I?INPUT?-p?<protocol>?-m?multiport?--dports?<port>?-j?fail2ban-<name>?

actionstop?=?iptables?-D?INPUT?-p?<protocol>?-m?multiport?--dports?<port>?-j?fail2ban-<name>?

?????????????iptables?-F?fail2ban-<name>?

?????????????iptables?-X?fail2ban-<name>?

actioncheck?=?iptables?-n?-L?INPUT?|?grep?-q?fail2ban-<name>?

actionban?=?iptables?-I?fail2ban-<name>?1?-s?<ip>?-j?DROP?

actionunban?=?iptables?-D?fail2ban-<name>?-s?<ip>?-j?DROP?

[Init]?

name?=?default?

port?=?ssh?

protocol?=?tcp?

fail2ban-client ?start或fail2ban-server 啟動服務

我們看下效果吧，已經有拉黑的IP了。

#fail2ban-client ?status named-ddos-tcp
Status for the jail: named-ddos-tcp
|- filter
| ?|- File list: /opt/soft/bind/log/query.log?
| ?|- Currently failed: 5
| ?`- Total failed: 299
`- action
? ?|- Currently banned: 5
? ?| ?`- IP list: 107.20.206.69 94.75.243.137 61.147.112.29 178.32.244.170 61.147.112.32 ? (國外的IP已經拉黑啦)
? ?`- Total banned: 15

Chain OUTPUT (policy ACCEPT 163M packets, 203G bytes)
?pkts bytes target ? ? prot opt in ? ? out ? ? source ? ? ? ? ? ? ? destination ? ? ? ??

Iptables的也已經自動添加了
Chain fail2ban-Named (2 references)
?pkts bytes target ? ? prot opt in ? ? out ? ? source ? ? ? ? ? ? ? destination ? ? ? ??
? ? 9 ? 576 DROP ? ? ? all ?-- ?* ? ? ?* ? ? ? 174.142.207.122 ? ? ?0.0.0.0/0 ? ? ? ? ??
? 241 15424 DROP ? ? ? all ?-- ?* ? ? ?* ? ? ? 61.147.120.25 ? ? ? ?0.0.0.0/0 ? ? ? ? ??
? ?27 ?1728 DROP ? ? ? all ?-- ?* ? ? ?* ? ? ? 61.147.112.32 ? ? ? ?0.0.0.0/0 ? ? ? ? ??
? 115 ?7360 DROP ? ? ? all ?-- ?* ? ? ?* ? ? ? 178.32.244.170 ? ? ? 0.0.0.0/0 ? ? ? ? ??
? 119 ?7616 DROP ? ? ? all ?-- ?* ? ? ?* ? ? ? 61.147.112.29 ? ? ? ?0.0.0.0/0 ? ? ? ? ??
? ?51 ?3264 DROP ? ? ? all ?-- ?* ? ? ?* ? ? ? 94.75.243.137 ? ? ? ?0.0.0.0/0 ? ? ? ? ??
?2206 ?141K DROP ? ? ? all ?-- ?* ? ? ?* ? ? ? 107.20.206.69 ? ? ? ?0.0.0.0/0 ? ? ? ? ??
12829 ?833K RETURN ? ? all ?-- ?* ? ? ?* ? ? ? 0.0.0.0/0 ? ? ? ? ? ?0.0.0.0/0 ? ? ? ? ??
? ? 0 ? ? 0 RETURN ? ? all ?-- ?* ? ? ?* ? ? ? 0.0.0.0/0 ? ? ? ? ? ?0.0.0.0/0 ? ?

查閱資料地址:

http://ftp.isc.org/isc/bind9/cur/9.8/doc/arm/Bv9ARM.html

http://www.isc.org/software/bind/documentation

http://www.minihowto.eu/protectio-against-isc-org-any-attack-dns-attack-isc-org-any-query

http://www.bergercity.de/tag/bind/

http://sourceforge.net/projects/fail2ban/

http://www.fail2ban.org/wiki/index.php/HOWTO_fail2ban_0.7.x#Iptables_action_setup

?

?

轉載于:https://blog.51cto.com/5iqiong/1175015

總結

以上是生活随笔為你收集整理的Iptables-Fail2ban处理bind 非法***的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。