早上發現DNS流量有些異常,查了query.log日誌如下:
9-Apr-2013 13:49:33.418 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.475 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.487 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.516 queries: info: client 70.39.93.72#49940: view other_user: query: isc.org IN ANY +ED (163.177.24.74)
09-Apr-2013 13:49:33.557 queries: info: client 185.12.119.16#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.588 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.657 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.663 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.758 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.802 queries: info: client 70.39.93.72#49940: view other_user: query: isc.org IN ANY +ED (163.177.24.74)
09-Apr-2013 13:49:33.824 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
09-Apr-2013 13:49:33.848 queries: info: client 199.19.213.88#25345: view other_user: query: isc.org IN ANY +ED (183.60.126.74)
處理方法:
添加iptables規則(需要添加connlimit模塊),限制單IP併發請求數:
- -A INPUT -p tcp -m tcp --dport 53 --tcp-flags SYN,RST,ACK SYN -m limit --limit 20/sec --limit-burst 200 -j DROP
- -A INPUT -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -m connlimit --connlimit-above 5 --connlimit-mask 32 -j DROP
- -A INPUT -p tcp -m tcp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -m connlimit --connlimit-above 5 --connlimit-mask 32 -j DROP
一、首先檢查bind本身安全,利用bind添加acl,同時限制遞歸查詢,添加黑名單。
- acl "mynetwork" {
- 183.61.81.0/25;
- 119.38.123.0/25;
- 180.60.116.0/25;
- 163.172.24.0/25;
- 127.0.0.1/32;
- };
- acl "blackhats" {
- 108.162.204.88;
- 184.168.72.113;
- 93.170.127.96;
- 72.46.155.84;
- 178.33.217.2;
- 72.46.132.122;
- 78.159.111.197;
- 192.96.200.41;
- };
全局設置變更:
allow-query { mynetwork; }; #這裏設置自己網絡,zone裏面可以設置成any
allow-recursion { mynetwork; }; #針對遞歸進行處理
#allow-query-cache {mynetwork;}; #針對查詢緩存處理
version "hello babay"; #隱藏版本
edns-udp-size 1024; # 設置udp消息大小,單位字節
max-udp-size 4096; #設置最大udp消息大小,單位字節
blackhole {blackhats;};#設置黑名單
二、利用fail2ban過濾日誌,調用iptables限制指定ip地址
下載fail2ban: https://github.com/fail2ban
或http://sourceforge.net/projects/fail2ban/
我這裏用的是fail2ban-0.8.4,解壓包後
執行python setup.py install安裝完成。
/etc/fail2ban/jail.conf 過濾相關服務配置文件
/etc/fail2ban/fail2ban.conf 主配置文件,設置sock和日誌文件
/etc/fail2ban/filter.d/ 相應服務的過濾規則文件路徑
/etc/fail2ban/action.d/ 相應服務的動作配置文件路徑
jail.conf添加指定服務參數:
- [named-refused-udp]
- enabled = true
- filter = named-refused #指定過濾規則
- action = iptables-multiport[name=Named, port=53, protocol=udp]
- sendmail-whois[name=Named, [email protected]]
- logpath = /opt/soft/bind/log/query.log #指定過濾日誌
- bantime = 3600 #封鎖時間,單位秒,
- findtime = 100 #100秒內超過次數屏蔽,單位秒
- maxretry = 3 #最大嘗試次數
- ignoreip = 127.0.0.1
- [named-refused-tcp]
- enabled = true
- filter = named-refused
- action = iptables-multiport[name=Named, port=53, protocol=tcp]
- sendmail-whois[name=Named, [email protected]]
- logpath = /opt/soft/bind/log/query.log
- bantime = 360000
- findtime = 100
- maxretry = 3
- ignoreip = 127.0.0.1
添加過濾規則:named-refused.conf
- # Fail2Ban configuration file for named (bind9). Trying to generalize the
- # structure which is general to capture general patterns in log
- # lines to cover different configurations/distributions
- #
- # $Revision: 730 $
- #
- [Definition]
- #
- # Daemon name
- _daemon=named
- #
- # Shortcuts for easier comprehension of the failregex
- __pid_re=(?:\[\d+\])
- __daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
- __daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
- # hostname daemon_id spaces
- # this can be optional (for instance if we match named native log files)
- __line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
- # Option: failregex
- # Notes.: regex to match the password failures messages in the logfile.
- # Values: TEXT
- #
- failregex = %(__line_prefix)sclient <HOST>#.+: query: (baidu.com|isc.org) IN ANY \+ED*
- # Option: ignoreregex
- # Notes.: regex to ignore. If this regex matches, the line is ignored.
- # Values: TEXT
- #
- ignoreregex =
執行動作文件#egrep -v '^#|^$' /etc/fail2ban/action.d/iptables-multiport.conf
- [Definition]
- actionstart = iptables -N fail2ban-<name>
- iptables -A fail2ban-<name> -j RETURN
- iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
- actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
- iptables -F fail2ban-<name>
- iptables -X fail2ban-<name>
- actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name>
- actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
- actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
- [Init]
- name = default
- port = ssh
- protocol = tcp
fail2ban-client start或fail2ban-server 啓動服務
我們看下效果吧,已經有拉黑的IP了。
#fail2ban-client status named-ddos-tcp
Status for the jail: named-ddos-tcp
|- filter
| |- File list: /opt/soft/bind/log/query.log
| |- Currently failed: 5
| `- Total failed: 299
`- action
|- Currently banned: 5
| `- IP list: 107.20.206.69 94.75.243.137 61.147.112.29 178.32.244.170 61.147.112.32 (國外的IP已經拉黑啦)
`- Total banned: 15
Chain OUTPUT (policy ACCEPT 163M packets, 203G bytes)
pkts bytes target prot opt in out source destination
Iptables的也已經自動添加了
Chain fail2ban-Named (2 references)
pkts bytes target prot opt in out source destination
9 576 DROP all -- * * 174.142.207.122 0.0.0.0/0
241 15424 DROP all -- * * 61.147.120.25 0.0.0.0/0
27 1728 DROP all -- * * 61.147.112.32 0.0.0.0/0
115 7360 DROP all -- * * 178.32.244.170 0.0.0.0/0
119 7616 DROP all -- * * 61.147.112.29 0.0.0.0/0
51 3264 DROP all -- * * 94.75.243.137 0.0.0.0/0
2206 141K DROP all -- * * 107.20.206.69 0.0.0.0/0
12829 833K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
查閱資料地址:
http://ftp.isc.org/isc/bind9/cur/9.8/doc/arm/Bv9ARM.html
http://www.isc.org/software/bind/documentation
http://www.minihowto.eu/protectio-against-isc-org-any-attack-dns-attack-isc-org-any-query
http://www.bergercity.de/tag/bind/
http://sourceforge.net/projects/fail2ban/
http://www.fail2ban.org/wiki/index.php/HOWTO_fail2ban_0.7.x#Iptables_action_setup