dropping 45 byte packets with iptables
I also looked at several pages mentioning iptable -m limit options but I can't figure out this damn thing.
Wish someone could write a clear and concise step-by-step tutorial on keeping the bed bugs away with iptables.
Thanks
10 Replies
iptables -A INPUT -p udp --dport 53 --match length --length 45 -j DROP
I'm not sure about implementing it myself, though; can legitimate DNS traffic not also use 45 byte packets? Maybe it can't, since it would always be asking for more than just ".".
If you use it, please report how it works.
Wonder why I didn't see –match in the documentation anywhere.. Maybe I wasn't looking in the right place.. Thanks for the info.
Maybe I'll just fail2ban the './NS/IN' query! Hmmm..
failregex = ^%(__prefix_line)sclient <host>: query \(cache\) '\./NS/IN' denied</host>
@mwalling:
I'm using the following, with a bantime of a week
failregex = ^%(__prefix_line)sclient <host>: query \(cache\) '\./NS/IN' denied</host>
Something's wrong with my fail2ban.. When it adds the iptables chain, and the INPUT entry, it adds the wrong protocol (TCP) for blocking UDP traffic. Sure, fail2ban adds it to the chain but the INPUT entry is all wrong so everything just keeps coming in.
jail.conf
> # Fail2Ban configuration file.
#
This file was composed for Debian systems from the original one
provided now under /usr/share/doc/fail2ban/examples/jail.conf
for additional examples.
#
To avoid merges during upgrades DO NOT MODIFY THIS FILE
and rather provide your changes in /etc/fail2ban/jail.local
#
Author: Yaroslav O. Halchenko <
debian@onerussian.com >#
$Revision: 281 $
#
The DEFAULT allows a global definition of the options. They can be override
in each jail afterwards.
[DEFAULT]
"ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1
bantime = 600
maxretry = 3
"backend" specifies the backend used to get files modification. Available
options are "gamin", "polling" and "auto".
yoh: For some reason Debian shipped python-gamin didn't work as expected
This issue left ToDo, so polling is default backend for now
backend = polling
#
Destination email address used solely for the interpolations in
jail.{conf,local} configuration files.
destemail = root@localhost
#
ACTIONS
#
Default banning action (e.g. iptables, iptables-new,
iptables-multiport, shorewall, etc) It is used to define
action_* variables. Can be overriden globally or per
section within jail.local file
banaction = iptables-multiport
email action. Since 0.8.1 upstream fail2ban uses sendmail
MTA for the mailing. Change mta configuration parameter to mail
if you want to revert to conventional 'mail'.
mta = sendmail
Default protocol
protocol = tcp
#
Action shortcuts. To be used to define action parameter
The simplest action to take: ban only
action_ = %(banaction)s[name=%(name)s, port="%(port)s", protocol="%(protocol)s]
ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(name)s, port="%(port)s", protocol="%(protocol)s]
%(mta)s-whois[name=%(name)s, dest="%(destemail)s", protocol="%(protocol)s]
ban & send an e-mail with whois report and relevant log lines
to the destemail.
action_mwl = %(banaction)s[name=%(name)s, port="%(port)s", protocol="%(protocol)s]
%(mta)s-whois-lines[name=%(name)s, dest="%(destemail)s", logpath=%(logpath)s]
Choose default action. To change, just override value of 'action' with the
interpolation to the chosen action shortcut (e.g. actionmw, actionmwl, etc) in jail.local
globally (section [DEFAULT]) or per specific section
action = %(action_)s
#
JAILS
#
Next jails corresponds to the standard configuration in Fail2ban 0.6 which
was shipped in Debian. Enable any defined here jail by including
#
[SECTION_NAME]
enabled = true
#
in /etc/fail2ban/jail.local.
#
Optionally you may override any other parameter (e.g. banaction,
action, port, logpath, etc) in that section within jail.local
[ssh]
enabled = false
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
Generic filter for pam. Has to be used with action which bans all ports
such as iptables-allports, shorewall
[pam-generic]
enabled = false
pam-generic filter can be customized to monitor specific subset of 'tty's
filter = pam-generic
port actually must be irrelevant but lets leave it all for some possible uses
port = all
banaction = iptables-allports
port = anyport
logpath = /var/log/auth.log
maxretry = 6
[xinetd-fail]
enabled = false
filter = xinetd-fail
port = all
banaction = iptables-multiport-log
logpath = /var/log/daemon.log
maxretry = 2
[ssh-ddos]
enabled = false
port = ssh
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 6
#
HTTP servers
#
[apache]
enabled = false
port = http,https
filter = apache-auth
logpath = /var/log/apache/error.log
maxretry = 6
default action is now multiport, so apache-multiport jail was left
for compatibility with previous (<0.7.6-2) releases
[apache-multiport]
enabled = false
port = http,https
filter = apache-auth
logpath = /var/log/apache/error.log
maxretry = 6
[apache-noscript]
enabled = false
port = http,https
filter = apache-noscript
logpath = /var/log/apache/error.log
maxretry = 6
[apache-overflows]
enabled = false
port = http,https
filter = apache-overflows
logpath = /var/log/apache/error.log
maxretry = 2
#
FTP servers
#
[vsftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = vsftpd
logpath = /var/log/vsftpd.log
or overwrite it in jails.local to be
logpath = /var/log/auth.log
if you want to rely on PAM failed login attempts
vsftpd's failregex should match both of those formats
maxretry = 6
[proftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = proftpd
logpath = /var/log/proftpd/proftpd.log
maxretry = 6
[wuftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = wuftpd
logpath = /var/log/auth.log
maxretry = 6
#
Mail servers
#
[postfix]
enabled = false
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log
[couriersmtp]
enabled = false
port = smtp,ssmtp
filter = couriersmtp
logpath = /var/log/mail.log
#
Mail servers authenticators: might be used for smtp,ftp,imap servers, so
all relevant ports get banned
#
[courierauth]
enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = courierlogin
logpath = /var/log/mail.log
[sasl]
enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = sasl
logpath = /var/log/mail.log
DNS Servers
These jails block attacks against named (bind9). By default, logging is off
with bind9 installation. You will need something like this:
#
logging {
channel security_file {
file "/var/log/named/security.log" versions 3 size 30m;
severity dynamic;
print-time yes;
};
category security {
security_file;
};
}
#
in your named.conf to provide proper logging
Word of Caution:
Given filter can lead to DoS attack against your DNS server
since there is no way to assure that UDP packets come from the
real source IP
[named-refused-udp]
enabled = true
port = domain,953
protocol = udp
banaction = iptables-allports
filter = named-refused
logpath = /var/log/named/security.log
logpath = /var/log/syslog
[named-refused-tcp]
enabled = false
port = domain,953
protocol = tcp
filter = named-refused
logpath = /var/log/named/security.log
jail.local
> # Fail2Ban configuration file.
#
This file was composed for Debian systems from the original one
provided now under /usr/share/doc/fail2ban/examples/jail.conf
for additional examples.
#
To avoid merges during upgrades DO NOT MODIFY THIS FILE
and rather provide your changes in /etc/fail2ban/jail.local
#
Author: Yaroslav O. Halchenko <
debian@onerussian.com >#
$Revision: 281 $
#
The DEFAULT allows a global definition of the options. They can be override
in each jail afterwards.
[DEFAULT]
"ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1 75.174.57.33
bantime = 864000
maxretry = 2
"backend" specifies the backend used to get files modification. Available
options are "gamin", "polling" and "auto".
yoh: For some reason Debian shipped python-gamin didn't work as expected
This issue left ToDo, so polling is default backend for now
backend = polling
#
Destination email address used solely for the interpolations in
jail.{conf,local} configuration files.
destemail = root@localhost
Default action to take: ban only
action = iptables[name=%(name)s, port=%(port)s]
Following actions can be chosen as an alternatives to the above action.
To activate, just copy/paste+uncomment chosen 2 (excluding comments) lines
into jail.local
Default action to take: ban & send an e-mail with whois report
to the destemail.
action = iptables[name=%(name)s, port=%(port)s]
mail-whois[name=%(name)s, dest=%(destemail)s]
Default action to take: ban & send an e-mail with whois report
and relevant log lines to the destemail.
action = iptables[name=%(name)s, port=%(port)s]
mail-whois-lines[name=%(name)s, dest=%(destemail)s, logpath=%(logpath)s]
Next jails corresponds to the standard configuration in Fail2ban 0.6
which was shipped in Debian. Please enable any defined here jail by including
#
[SECTION_NAME]
enabled = true
#
in /etc/fail2ban/jail.local.
#
[ssh]
enabled = false
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 2
#
HTTP servers
#
[apache]
enabled = false
port = http
filter = apache-auth
logpath = /var/log/apache/access.log
maxretry = 6
#
FTP servers
#
[vsftpd]
enabled = false
port = ftp
filter = vsftpd
logpath = /var/log/auth.log
maxretry = 6
#
Mail servers
#
[postfix]
enabled = false
port = smtp
filter = postfix
logpath = /var/log/postfix.log
[sasl]
enabled = false
port = smtp
filter = sasl
logpath = /var/log/mail.log
This file was composed for Debian systems from the original one
provided now under /usr/share/doc/fail2ban/examples/jail.conf
for additional examples.
Patch-happy distros? <url url="http://www.metasploit.com/users/hdm/tools/debian-openssl/">~~[](http://www.metasploit.com/users/hdm/tools/debian-openssl/)~~[OpenSSL](http://www.metasploit.com/users/hdm/tools/debian-openssl/)</url>? What?
[bind-ddos]
enabled = true
filter = bind-ddos
action = iptables[name=bind-ddos, port=53, protocol=udp]
mail-whois-lines[name=bind-ddos, dest=mwalling-f2b, logpath=/var/log/messages]
logpath = /var/log/messages
maxretry = 3
findtime = 60
bantime = 86400
````
> File "/usr/bin/fail2ban-client", line 375, in __readConfig
ret = self.__configurator.getOptions()
File "/usr/share/fail2ban/client/configurator.py", line 65, in getOptions
return self.__jails.getOptions(jail)
File "/usr/share/fail2ban/client/jailsreader.py", line 64, in getOptions
ret = jail.getOptions()
File "/usr/share/fail2ban/client/jailreader.py", line 77, in getOptions
self.filter.getOptions(self.opts)
File "/usr/share/fail2ban/client/filterreader.py", line 60, in getOptions
self.__opts = ConfigReader.getOptions(self, "Definition", opts, pOpts)
File "/usr/share/fail2ban/client/configreader.py", line 84, in getOptions
v = self.get(sec, option[1])
File "/usr/lib/python2.4/ConfigParser.py", line 525, in get
return self._interpolate(section, option, value, d)
File "/usr/lib/python2.4/ConfigParser.py", line 593, in _interpolate
self.interpolatesome(option, L, rawval, section, vars, 1)
File "/usr/lib/python2.4/ConfigParser.py", line 624, in interpolatesome
raise InterpolationMissingOptionError(
ConfigParser.InterpolationMissingOptionError: Bad value substitution:
section: [Definition]
option : failregex
key : _prefixline
rawval : client
: query (cache) './NS/IN' denied
I think I'll just give up.