Iptables-Fail2ban處理bind 非法***

 早上發現DNS流量有些異常，查了query.log日誌如下:

9-Apr-2013 13:49:33.418 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)

09-Apr-2013 13:49:33.475 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.487 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.516 queries: info: client 70.39.93.72#49940: view other_user: query: isc.org IN ANY +ED (163.177.24.74)
09-Apr-2013 13:49:33.557 queries: info: client 185.12.119.16#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.588 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.657 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.663 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.758 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.802 queries: info: client 70.39.93.72#49940: view other_user: query: isc.org IN ANY +ED (163.177.24.74)
09-Apr-2013 13:49:33.824 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.848 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)

處理方法:

添加iptables規則(需要添加connlimit模塊),限制單IP併發請求數:

-A INPUT -p tcp -m tcp --dport 53 --tcp-flags SYN,RST,ACK SYN -m limit --limit 20/sec --limit-burst 200 -j DROP
-A INPUT -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -m connlimit --connlimit-above 5 --connlimit-mask 32 -j DROP
-A INPUT -p tcp -m tcp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -m connlimit --connlimit-above 5 --connlimit-mask 32 -j DROP

一、首先檢查bind本身安全，利用bind添加acl,同時限制遞歸查詢，添加黑名單。

acl "mynetwork" {
183.61.81.0/25;
119.38.123.0/25;
180.60.116.0/25;
163.172.24.0/25;
127.0.0.1/32;
};
acl "blackhats" {
108.162.204.88;
184.168.72.113;
93.170.127.96;
72.46.155.84;
178.33.217.2;
72.46.132.122;
78.159.111.197;
192.96.200.41;
};

全局設置變更：

allow-query { mynetwork; };  #這裏設置自己網絡，zone裏面可以設置成any

allow-recursion { mynetwork; };   #針對遞歸進行處理
#allow-query-cache {mynetwork;};  #針對查詢緩存處理

        version                     "hello babay"; #隱藏版本

        edns-udp-size 1024;  # 設置udp消息大小，單位字節

        max-udp-size 4096; #設置最大udp消息大小，單位字節

    blackhole {blackhats;};#設置黑名單

二、利用fail2ban過濾日誌,調用iptables限制指定ip地址

下載fail2ban: https://github.com/fail2ban

或http://sourceforge.net/projects/fail2ban/

我這裏用的是fail2ban-0.8.4，解壓包後

執行python setup.py install安裝完成。

/etc/fail2ban/jail.conf     過濾相關服務配置文件

/etc/fail2ban/fail2ban.conf   主配置文件，設置sock和日誌文件

/etc/fail2ban/filter.d/   相應服務的過濾規則文件路徑

/etc/fail2ban/action.d/  相應服務的動作配置文件路徑

jail.conf添加指定服務參數:

[named-refused-udp]
enabled  = true
filter   = named-refused  #指定過濾規則
action   = iptables-multiport[name=Named, port=53, protocol=udp]
           sendmail-whois[name=Named, [email protected]]
logpath  = /opt/soft/bind/log/query.log  #指定過濾日誌
bantime  = 3600 #封鎖時間,單位秒,
findtime  = 100  #100秒內超過次數屏蔽,單位秒
maxretry = 3   #最大嘗試次數
ignoreip = 127.0.0.1

[named-refused-tcp]
enabled  = true
filter   = named-refused
action   = iptables-multiport[name=Named, port=53, protocol=tcp]
           sendmail-whois[name=Named, [email protected]]
logpath  = /opt/soft/bind/log/query.log
bantime  = 360000
findtime  = 100
maxretry = 3
ignoreip = 127.0.0.1

添加過濾規則:named-refused.conf

# Fail2Ban configuration file for named (bind9). Trying to generalize the
#          structure which is general to capture general patterns in log
#          lines to cover different configurations/distributions
#
# $Revision: 730 $
#

[Definition]

#
# Daemon name
_daemon=named

#
# Shortcuts for easier comprehension of the failregex
__pid_re=(?:\[\d+\])
__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
#       hostname       daemon_id         spaces
# this can be optional (for instance if we match named native log files)
__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
failregex = %(__line_prefix)sclient <HOST>#.+: query: (baidu.com|isc.org) IN ANY \+ED*

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

執行動作文件#egrep -v '^#|^$' /etc/fail2ban/action.d/iptables-multiport.conf 

[Definition]
actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
             iptables -F fail2ban-<name>
             iptables -X fail2ban-<name>
actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name>
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
[Init]
name = default
port = ssh
protocol = tcp

fail2ban-client  start或fail2ban-server 啓動服務

我們看下效果吧，已經有拉黑的IP了。

#fail2ban-client  status named-ddos-tcp
Status for the jail: named-ddos-tcp
|- filter
|  |- File list: /opt/soft/bind/log/query.log 
|  |- Currently failed: 5
|  `- Total failed: 299
`- action
   |- Currently banned: 5
   |  `- IP list: 107.20.206.69 94.75.243.137 61.147.112.29 178.32.244.170 61.147.112.32   (國外的IP已經拉黑啦)
   `- Total banned: 15

Chain OUTPUT (policy ACCEPT 163M packets, 203G bytes)
 pkts bytes target     prot opt in     out     source               destination         

Iptables的也已經自動添加了
Chain fail2ban-Named (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    9   576 DROP       all  --  *      *       174.142.207.122      0.0.0.0/0           
  241 15424 DROP       all  --  *      *       61.147.120.25        0.0.0.0/0           
   27  1728 DROP       all  --  *      *       61.147.112.32        0.0.0.0/0           
  115  7360 DROP       all  --  *      *       178.32.244.170       0.0.0.0/0           
  119  7616 DROP       all  --  *      *       61.147.112.29        0.0.0.0/0           
   51  3264 DROP       all  --  *      *       94.75.243.137        0.0.0.0/0           
 2206  141K DROP       all  --  *      *       107.20.206.69        0.0.0.0/0           
12829  833K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0    

查閱資料地址:

http://ftp.isc.org/isc/bind9/cur/9.8/doc/arm/Bv9ARM.html

http://www.isc.org/software/bind/documentation

http://www.minihowto.eu/protectio-against-isc-org-any-attack-dns-attack-isc-org-any-query

http://www.bergercity.de/tag/bind/

http://sourceforge.net/projects/fail2ban/

http://www.fail2ban.org/wiki/index.php/HOWTO_fail2ban_0.7.x#Iptables_action_setup