next up previous contents
Next: Code Injection Up: Fail2ban Previous: postfix sasl 登入攻擊   Contents

Fail2ban 阻擋 DNS 的 DDOS

  1. 修改 named.conf 設定檔,限制僅允許本地端IP範圍可以做 recursion 查詢外部的網域,只 Cache 本地端IP範圍所做的查詢。
    [root@dns ~]# vim /etc/named.conf
    [root@dns ~]# grep local_subnet /etc/named.conf
    acl "local_subnet"{ 163.17.0.0/16; 120.110.0.0/16; };
    	allow-query-cache { local_subnet; };
    	allow-recursion { local_subnet; };
    
  2. 重新啟動 named 服務。
    [root@dns ~]# /etc/init.d/named restart
    
  3. 安裝 fail2ban
    [root@dns ~]# yum install fail2ban
    
  4. fail2ban 預設就有阻擋 DNS 的 DDOS 攻擊的 pattern,修改後啟動 fail2ban 服務,並設定開機啟動。
    [root@dns ~]# vim /etc/fail2ban/jail.conf 
    [root@dns ~]# /etc/init.d/fail2ban start
    [root@dns ~]# chkconfig fail2ban on
    
  5. fail2ban-client 增加 nsd, named-refuesd, named-refuesd-udp 三個 pattern,並查看狀態。
    [root@dns ~]# fail2ban-client add nsd
    Added jail nsd
    [root@dns ~]# fail2ban-client status nsd
    Status for the jail: nsd
    |- Filter
    |  |- Currently failed:	0
    |  |- Total failed:	0
    |  `- File list:	
    `- Actions
       |- Currently banned:	0
       |- Total banned:	0
       `- Banned IP list:	
    [root@dns ~]# fail2ban-client add named-refused
    Added jail named-refused
    [root@dns ~]# fail2ban-client status named-refused
    Status for the jail: named-refused
    |- Filter
    |  |- Currently failed:	0
    |  |- Total failed:	0
    |  `- File list:	
    `- Actions
       |- Currently banned:	0
       |- Total banned:	0
       `- Banned IP list:	
    [root@dns ~]# fail2ban-client add named-refused-udp
    Added jail named-refused-udp
    [root@dns ~]# fail2ban-client status named-refused-udp
    Status for the jail: named-refused-udp
    |- Filter
    |  |- Currently failed:	0
    |  |- Total failed:	0
    |  `- File list:	
    `- Actions
       |- Currently banned:	0
       |- Total banned:	0
       `- Banned IP list:
    


De-Yu Wang 2018-08-08