早上發現DNS流量有些異常,查了query.log日誌如下:
9-Apr-2014 13:49:33.418 queries: info: client 168.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (173.60.126.74)
09-Apr-2014 13:49:33.475 queries: info: client 168.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (173.60.126.74)
09-Apr-2014 13:49:33.487 queries: info: client 168.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (173.60.126.74)
09-Apr-2014 13:49:33.516 queries: info: client 70.39.93.72#49940: view other_user: query: isc.org IN ANY +ED (163.177.24.74)
09-Apr-2014 13:49:33.557 queries: info: client 185.12.119.16#25345: view other_user: query: isc.org IN ANY +ED (173.60.126.74)
09-Apr-2014 13:49:33.588 queries: info: client 168.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (173.60.126.74)
09-Apr-2014 13:49:33.657 queries: info: client 168.19.213.88#25345: view other_user:
處理方法:
添加iptables規則(需要添加connlimit模組),限制單IP併發請求數:
1. -A INPUT -p tcp -m tcp –dport 53 –tcp-flags SYN,RST,ACK SYN -m limit –limit 20/sec –limit-burst 200 -j DROP
2. -A INPUT -p udp -m udp –dport 53 -m state –state NEW,RELATED,ESTABLISHED -m connlimit –connlimit-above 5 –connlimit-mask 32 -j DROP
3. -A INPUT -p tcp -m tcp –dport 53 -m state –state NEW,RELATED,ESTABLISHED -m connlimit –connlimit-above 5 –connlimit-mask 32 -j DROP
一、首先檢查bind本身安全,利用bind添加acl,同時限制遞迴查詢,添加黑名單。
1. acl “mynetwork” {
2. 173.61.81.0/25;
3. 119.38.123.0/25;
4. 180.60.116.0/25;
5. 163.172.24.0/25;
6. 127.0.0.1/32;
7. };
8. acl “blackhats” {
9. 108.162.204.88;
10. 184.168.72.113;
11. 93.170.127.96;
12. 72.46.155.84;
13. 178.33.217.2;
14. 72.46.132.122;
15. 78.159.111.197;
16. 192.96.200.41;
17. };
全域設置變更:
allow-query { mynetwork; }; #這裡設置自己網路,zone裡面可以設置成any
allow-recursion { mynetwork; }; #針對遞迴進行處理
#allow-query-cache {mynetwork;}; #針對查詢緩存處理
version “hello babay”; #隱藏版本
edns-udp-size 1024; # 設置udp消息大小,單位位元組
max-udp-size 4096; #設置最大udp消息大小,單位位元組
blackhole {blackhats;};#設置黑名單
二、利用fail2ban過濾日誌,調用iptables限制指定ip地址
下載fail2ban: https://github.com/fail2ban
或http://sourceforge.net/projects/fail2ban/
我這裡用的是fail2ban-0.8.4,解壓包後
執行python setup.py install安裝完成。
/etc/fail2ban/jail.conf 過濾相關服務設定檔
/etc/fail2ban/fail2ban.conf 主設定檔,設置sock和日誌檔
/etc/fail2ban/filter.d/ 相應服務的過濾規則檔路徑
/etc/fail2ban/action.d/ 相應服務的動作設定檔路徑
jail.conf添加指定服務參數:
1. [named-refused-udp]
2. enabled = true
3. filter = named-refused #指定過濾規則
4. action = iptables-multiport[name=Named, port=53, protocol=udp]
- sendmail-whois[name=Named, dest=cecnck@gmail.com]
6. logpath = /opt/soft/bind/log/query.log #指定過濾日誌
7. bantime = 3600 #封鎖時間,單位秒,
8. findtime = 100 #100秒內超過次數遮罩,單位秒
9. maxretry = 3 #最大嘗試次數
10. ignoreip = 127.0.0.1
11.
12. [named-refused-tcp]
13. enabled = true
14. filter = named-refused
15. action = iptables-multiport[name=Named, port=53, protocol=tcp]
- 16. sendmail-whois[name=Named, dest=cecnck@gmail.com]
17. logpath = /opt/soft/bind/log/query.log
18. bantime = 360000
19. findtime = 100
20. maxretry = 3
21. ignoreip = 127.0.0.1
添加過濾規則:named-refused.conf
1. # Fail2Ban configuration file for named (bind9). Trying to generalize the
2. # structure which is general to capture general patterns in log
3. # lines to cover different configurations/distributions
4. #
5. # $Revision: 730 $
6. #
8. [Definition]
10. #
11. # Daemon name
12. _daemon=named
- 13.
14. #
15. # Shortcuts for easier comprehension of the failregex
16. __pid_re=(?:\[\d+\])
17. __daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
18. __daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
19. # hostname daemon_id spaces
20. # this can be optional (for instance if we match named native log files)
21. __line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
- 22.
23. # Option: failregex
24. # Notes.: regex to match the password failures messages in the logfile.
25. # Values: TEXT
26. #
27. failregex = %(__line_prefix)sclient <HOST>#.+: query: (baidu.com|isc.org) IN ANY \+ED*
- 28.
29. # Option: ignoreregex
30. # Notes.: regex to ignore. If this regex matches, the line is ignored.
31. # Values: TEXT
32. #
33. ignoreregex =
執行動作檔#egrep -v ‘^#|^$’ /etc/fail2ban/action.d/iptables-multiport.conf
1. [Definition]
2. actionstart = iptables -N fail2ban-<name>
- iptables -A fail2ban-<name> -j RETURN
- iptables -I INPUT -p <protocol> -m multiport –dports <port> -j fail2ban-<name>
5. actionstop = iptables -D INPUT -p <protocol> -m multiport –dports <port> -j fail2ban-<name>
- iptables -F fail2ban-<name>
- iptables -X fail2ban-<name>
8. actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name>
9. actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
10. actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
11. [Init]
12. name = default
13. port = ssh
14. protocol = tcp
fail2ban-client start或fail2ban-server 啟動服務
我們看下效果吧,已經有拉黑的IP了。
#fail2ban-client status named-ddos-tcp
Status for the jail: named-ddos-tcp
|- filter
| |- File list: /opt/soft/bind/log/query.log
| |- Currently failed: 5
| `- Total failed: 299
`- action
|- Currently banned: 5
| `- IP list: 107.20.206.69 94.75.243.137 61.147.112.29 178.32.244.170 61.147.112.32 (國外的IP已經拉黑啦)
`- Total banned: 15
Chain OUTPUT (policy ACCEPT 163M packets, 203G bytes)
pkts bytes target prot opt in out source destination
Iptables的也已經自動添加了
Chain fail2ban-Named (2 references)
pkts bytes target prot opt in out source destination
9 576 DROP all — * * 174.142.207.122 0.0.0.0/0
241 15424 DROP all — * * 61.147.120.25 0.0.0.0/0
27 1728 DROP all — * * 61.147.112.32 0.0.0.0/0
115 7360 DROP all — * * 178.32.244.170 0.0.0.0/0
119 7616 DROP all — * * 61.147.112.29 0.0.0.0/0
51 3264 DROP all — * * 94.75.243.137 0.0.0.0/0
2206 141K DROP all — * * 107.20.206.69 0.0.0.0/0
12829 833K RETURN all — * * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all — * * 0.0.0.0/0 0.0.0.0/0
查閱資料位址:
http://ftp.isc.org/isc/bind9/cur/9.8/doc/arm/Bv9ARM.html
http://www.isc.org/software/bind/documentation
http://www.minihowto.eu/protectio-against-isc-org-any-attack-dns-attack-isc-org-any-query
http://www.bergercity.de/tag/bind/
http://sourceforge.net/projects/fail2ban/
http://www.fail2ban.org/wiki/index.php/HOWTO_fail2ban_0.7.x#Iptables_action_setup
Leave a Reply