Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[solved] fail2ban + iptables on named-refused not working
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
noclear2000
Apprentice
Apprentice


Joined: 21 Jun 2006
Posts: 153
Location: Germany

PostPosted: Fri Aug 09, 2013 11:29 am    Post subject: [solved] fail2ban + iptables on named-refused not working Reply with quote

hi,


my named daemon is filling my disk with:

Code:

Aug  9 13:21:56 treehouse named[6200]: client 194.31.241.111#18029 (1x1.cz): query (cache) '1x1.cz/ANY/IN' denied
Aug  9 13:21:56 treehouse named[6200]: client 194.31.241.111#20830 (1x1.cz): query (cache) '1x1.cz/ANY/IN' denied
Aug  9 13:21:57 treehouse named[6200]: client 194.31.241.111#63663 (1x1.cz): query (cache) '1x1.cz/ANY/IN' denied
Aug  9 13:21:57 treehouse named[6200]: client 194.31.241.111#5468 (1x1.cz): query (cache) '1x1.cz/ANY/IN' denied
Aug  9 13:21:57 treehouse named[6200]: client 194.31.241.111#6184 (1x1.cz): query (cache) '1x1.cz/ANY/IN' denied
Aug  9 13:21:57 treehouse named[6200]: client 194.31.241.111#39970 (1x1.cz): query (cache) '1x1.cz/ANY/IN' denied
Aug  9 13:21:57 treehouse named[6200]: client 194.31.241.111#25741 (1x1.cz): query (cache) '1x1.cz/ANY/IN' denied
Aug  9 13:21:57 treehouse named[6200]: client 194.31.241.111#50119 (1x1.cz): query (cache) '1x1.cz/ANY/IN' denied
Aug  9 13:21:58 treehouse named[6200]: client 194.31.241.111#28646 (1x1.cz): query (cache) '1x1.cz/ANY/IN' denied
Aug  9 13:21:58 treehouse named[6200]: client 194.31.241.111#11973 (1x1.cz): query (cache) '1x1.cz/ANY/IN' denied


For lots of different IPs. That is a problem. I thought i could make use of fail2ban to get rid of them.


fail2ban banned the IPs according to the log. But the querying goes on and fail2ban says:
Code:

2013-08-09 13:23:59,781 fail2ban.actions: INFO   [named-refused-tcp] 194.31.241.111 already banned
2013-08-09 13:24:02,784 fail2ban.actions: INFO   [named-refused-tcp] 194.31.241.111 already banned
2013-08-09 13:24:04,786 fail2ban.actions: INFO   [named-refused-tcp] 194.31.241.111 already banned


which is true as I can see it in iptables:
Code:

root@treehouse [~]# iptables -L -n | grep 194.31.241.111
REJECT     all  --  194.31.241.111       0.0.0.0/0            reject-with icmp-port-unreachable
root@treehouse [~]#


This is a new system so I just started configuring. Nothing else yet in iptables. I did set sshd to != 22 so that i do not need to deal with log explosoin there also for now. Before i populate iptables with my rules I'd like to make fail2ban work so that nothing is interfering with it.


After a few minutes some IPs got banned with no effect:
Code:
root@treehouse [~]# iptables -L -n                     
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-Named  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 53,953
fail2ban-FOPENPHP  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
fail2ban-BadBots  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
fail2ban-sasl  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:25
fail2ban-SSHRESC  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:10022
fail2ban-SSH  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-BadBots (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-FOPENPHP (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-Named (1 references)
target     prot opt source               destination         
REJECT     all  --  212.73.87.254        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  156.154.98.93        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  207.226.173.66       0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  213.83.21.21         0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  109.194.113.5        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  217.69.133.70        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  213.56.26.139        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  213.56.26.137        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  217.12.192.26        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  109.195.96.4         0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  62.112.98.51         0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  109.195.48.4         0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  176.192.224.198      0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  194.31.241.111       0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  176.192.224.194      0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-SSH (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-SSHRESC (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-sasl (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           
root@treehouse [~]#



But they still go on querying so they are not relay blocked... Any idea?

Thanks a lot!
Cheers


Last edited by noclear2000 on Mon Aug 12, 2013 4:28 pm; edited 1 time in total
Back to top
View user's profile Send private message
broken_chaos
Guru
Guru


Joined: 18 Jan 2006
Posts: 370
Location: Ontario, Canada

PostPosted: Sat Aug 10, 2013 9:07 pm    Post subject: Reply with quote

Something similar once happened to me, and it turned out I'd forgotten I'd disabled REJECT support in netfilter. Check if CONFIG_IP_NF_TARGET_REJECT and/or CONFIG_IP6_NF_TARGET_REJECT are set in your kernel config (`grep REJECT /usr/src/linux/.config`).

If they're not set, you can either set them, recompile, and reboot, or change /etc/fail2ban/action.d/iptables-blocktype.conf to have blocktype = DROP instead of REJECT.
Back to top
View user's profile Send private message
noclear2000
Apprentice
Apprentice


Joined: 21 Jun 2006
Posts: 153
Location: Germany

PostPosted: Sat Aug 10, 2013 11:02 pm    Post subject: Reply with quote

HI broken_chaos,

Thanks a lot! Your reply is relly appreciated. This is driving me nuts. Looks like I have NF_REJECT enabled for IPv4 and as a modules for IPv6:
Code:

root@treehouse [~]# zgrep -i reject /proc/config.gz
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP6_NF_TARGET_REJECT=m
root@treehouse [~]#


However I am now trying DROP vs REJECT to see if it helps...

Thanks again and cheers,


EDIT1:

Doesn't look like it is working...
It is using DROP:
Code:

Chain fail2ban-Named (1 references)
target     prot opt source               destination         
DROP       all  --  217.69.133.70        0.0.0.0/0           
DROP       all  --  212.33.225.210       0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

but to no avail:
Code:

2013-08-11 01:00:37,022 fail2ban.filter : WARNING Determined IP using DNS Lookup: hsi-kbw-134-3-117-59.hsi14.kabel-badenwuerttemberg.de = ['134.3.117.59']
2013-08-11 01:04:36,175 fail2ban.actions: WARNING [named-refused-tcp] Ban 212.33.225.210
2013-08-11 01:05:40,281 fail2ban.actions: WARNING [named-refused-tcp] Ban 217.69.133.70
2013-08-11 01:05:48,310 fail2ban.actions: INFO   [named-refused-tcp] 217.69.133.70 already banned


:cry:
Back to top
View user's profile Send private message
broken_chaos
Guru
Guru


Joined: 18 Jan 2006
Posts: 370
Location: Ontario, Canada

PostPosted: Sun Aug 11, 2013 8:12 pm    Post subject: Reply with quote

Oh! I didn't spot it at first, but your fail2ban rules (in the INPUT chain) are only being applied to tcp traffic. As DNS is mostly udp (except for large requests), they're mostly not being blocked. Your configuration for named in fail2ban should, assuming it's using fail2ban's default iptable-multiport action, look something like this: "action = iptables-multiport[name=Named, port="domain,953", protocol=all]" (note the 'protocol=all').

I believe that will fix your problem there.
Back to top
View user's profile Send private message
noclear2000
Apprentice
Apprentice


Joined: 21 Jun 2006
Posts: 153
Location: Germany

PostPosted: Mon Aug 12, 2013 4:27 pm    Post subject: Reply with quote

Hi again,

stupid me! Yes, you are right. Thanks a lot. However prot=all doesn't work but splitting in two jails for UDP and TCP works just fine.

However the UDP Names jail comes with a warning comment:
Code:

# !!! WARNING !!!
#   Since UDP is connection-less protocol, spoofing of IP and imitation
#   of illegal actions is way too simple.  Thus enabling of this filter
#   might provide an easy way for implementing a DoS against a chosen
#   victim. See
#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
#   Please DO NOT USE this jail unless you know what you are doing.
#
# [named-refused-udp]


So maybe i have to live with the denied messages... I reviewed my BIND config and too me it seems pretty valid. Sadly it is quite verbose on denied cahe-queries. It blowing up th elogs "a little", maybe a frequent rotation would help. Allowing the DNS cache queries from "any"one is no good idea I assume. That's what some suggest in forums round the net but this is quite likely counter-productive and maybe making me part of some (amplification) attack, right?

but my initial question is solved, thanks a lot broken_chaos! I am going to mark it as solved. :)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum