iptables -A INPUT -p udp --dport 53 --match length --length 45 -j DROP

I'm not sure about implementing it myself, though; can legitimate DNS traffic not also use 45 byte packets? Maybe it can't, since it would always be asking for more than just ".".

If you use it, please report how it works.

They query they're using is './NS/IN' ..

Wonder why I didn't see –match in the documentation anywhere.. Maybe I wasn't looking in the right place.. Thanks for the info.

Maybe I'll just fail2ban the './NS/IN' query! Hmmm..

I'm using the following, with a bantime of a week

failregex  = ^%(__prefix_line)sclient <host>: query \(cache\) '\./NS/IN' denied</host>

There are better ways to do this imho and many fixes, just setup bind so it only responds to the domains in your config and not to generic requests.

A properly configured Bind will still respond with REFUSED, which is still a packet that is bound for the victim's IP address, and while not as significant as the root hints, its still traffic that the victim doesn't need to be seeing.

@mwalling:

I'm using the following, with a bantime of a week

failregex  = ^%(__prefix_line)sclient <host>: query \(cache\) '\./NS/IN' denied</host>

Something's wrong with my fail2ban.. When it adds the iptables chain, and the INPUT entry, it adds the wrong protocol (TCP) for blocking UDP traffic. Sure, fail2ban adds it to the chain but the INPUT entry is all wrong so everything just keeps coming in.

If you're using the iptables action, you need to set the protocol as an argument. The default ssh-iptables jail has an example you could use.

I don't have one of those :-/ I just downloaded the most recent fail2ban too.

jail.conf
> # Fail2Ban configuration file.

#

This file was composed for Debian systems from the original one

provided now under /usr/share/doc/fail2ban/examples/jail.conf

for additional examples.

#

To avoid merges during upgrades DO NOT MODIFY THIS FILE

and rather provide your changes in /etc/fail2ban/jail.local

#

Author: Yaroslav O. Halchenko <debian@onerussian.com>

#

$Revision: 281 $

#

The DEFAULT allows a global definition of the options. They can be override

in each jail afterwards.

[DEFAULT]

"ignoreip" can be an IP address, a CIDR mask or a DNS host

ignoreip = 127.0.0.1

bantime = 600

maxretry = 3

"backend" specifies the backend used to get files modification. Available

options are "gamin", "polling" and "auto".

yoh: For some reason Debian shipped python-gamin didn't work as expected

This issue left ToDo, so polling is default backend for now

backend = polling

#

Destination email address used solely for the interpolations in

jail.{conf,local} configuration files.

destemail = root@localhost

#

ACTIONS

#

Default banning action (e.g. iptables, iptables-new,

iptables-multiport, shorewall, etc) It is used to define

action_* variables. Can be overriden globally or per

section within jail.local file

banaction = iptables-multiport

email action. Since 0.8.1 upstream fail2ban uses sendmail

MTA for the mailing. Change mta configuration parameter to mail

if you want to revert to conventional 'mail'.

mta = sendmail

Default protocol

protocol = tcp

#

Action shortcuts. To be used to define action parameter

The simplest action to take: ban only

action_ = %(banaction)s[name=%(name)s, port="%(port)s", protocol="%(protocol)s]

ban & send an e-mail with whois report to the destemail.

action_mw = %(banaction)s[name=%(name)s, port="%(port)s", protocol="%(protocol)s]

%(mta)s-whois[name=%(name)s, dest="%(destemail)s", protocol="%(protocol)s]

ban & send an e-mail with whois report and relevant log lines

to the destemail.

action_mwl = %(banaction)s[name=%(name)s, port="%(port)s", protocol="%(protocol)s]

%(mta)s-whois-lines[name=%(name)s, dest="%(destemail)s", logpath=%(logpath)s]

Choose default action. To change, just override value of 'action' with the

interpolation to the chosen action shortcut (e.g. actionmw, actionmwl, etc) in jail.local

globally (section [DEFAULT]) or per specific section

action = %(action_)s

#

JAILS

#

Next jails corresponds to the standard configuration in Fail2ban 0.6 which

was shipped in Debian. Enable any defined here jail by including

#

[SECTION_NAME]

enabled = true

#

in /etc/fail2ban/jail.local.

#

Optionally you may override any other parameter (e.g. banaction,

action, port, logpath, etc) in that section within jail.local

[ssh]

enabled = false

port = ssh

filter = sshd

logpath = /var/log/auth.log

maxretry = 6

Generic filter for pam. Has to be used with action which bans all ports

such as iptables-allports, shorewall

[pam-generic]

enabled = false

pam-generic filter can be customized to monitor specific subset of 'tty's

filter = pam-generic

port actually must be irrelevant but lets leave it all for some possible uses

port = all

banaction = iptables-allports

port = anyport

logpath = /var/log/auth.log

maxretry = 6

[xinetd-fail]

enabled = false

filter = xinetd-fail

port = all

banaction = iptables-multiport-log

logpath = /var/log/daemon.log

maxretry = 2

[ssh-ddos]

enabled = false

port = ssh

filter = sshd-ddos

logpath = /var/log/auth.log

maxretry = 6

#

HTTP servers

#

[apache]

enabled = false

port = http,https

filter = apache-auth

logpath = /var/log/apache/error.log

maxretry = 6

default action is now multiport, so apache-multiport jail was left

for compatibility with previous (<0.7.6-2) releases

[apache-multiport]

enabled = false

port = http,https

filter = apache-auth

logpath = /var/log/apache/error.log

maxretry = 6

[apache-noscript]

enabled = false

port = http,https

filter = apache-noscript

logpath = /var/log/apache/error.log

maxretry = 6

[apache-overflows]

enabled = false

port = http,https

filter = apache-overflows

logpath = /var/log/apache/error.log

maxretry = 2

#

FTP servers

#

[vsftpd]

enabled = false

port = ftp,ftp-data,ftps,ftps-data

filter = vsftpd

logpath = /var/log/vsftpd.log

or overwrite it in jails.local to be

logpath = /var/log/auth.log

if you want to rely on PAM failed login attempts

vsftpd's failregex should match both of those formats

maxretry = 6

[proftpd]

enabled = false

port = ftp,ftp-data,ftps,ftps-data

filter = proftpd

logpath = /var/log/proftpd/proftpd.log

maxretry = 6

[wuftpd]

enabled = false

port = ftp,ftp-data,ftps,ftps-data

filter = wuftpd

logpath = /var/log/auth.log

maxretry = 6

#

Mail servers

#

[postfix]

enabled = false

port = smtp,ssmtp

filter = postfix

logpath = /var/log/mail.log

[couriersmtp]

enabled = false

port = smtp,ssmtp

filter = couriersmtp

logpath = /var/log/mail.log

#

Mail servers authenticators: might be used for smtp,ftp,imap servers, so

all relevant ports get banned

#

[courierauth]

enabled = false

port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s

filter = courierlogin

logpath = /var/log/mail.log

[sasl]

enabled = false

port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s

filter = sasl

logpath = /var/log/mail.log

DNS Servers

These jails block attacks against named (bind9). By default, logging is off

with bind9 installation. You will need something like this:

#

logging {

channel security_file {

file "/var/log/named/security.log" versions 3 size 30m;

severity dynamic;

print-time yes;

};

category security {

security_file;

};

}

#

in your named.conf to provide proper logging

Word of Caution:

Given filter can lead to DoS attack against your DNS server

since there is no way to assure that UDP packets come from the

real source IP

[named-refused-udp]

enabled = true

port = domain,953

protocol = udp

banaction = iptables-allports

filter = named-refused

logpath = /var/log/named/security.log

logpath = /var/log/syslog

[named-refused-tcp]

enabled = false

port = domain,953

protocol = tcp

filter = named-refused

logpath = /var/log/named/security.log

jail.local
> # Fail2Ban configuration file.

#

This file was composed for Debian systems from the original one

provided now under /usr/share/doc/fail2ban/examples/jail.conf

for additional examples.

#

To avoid merges during upgrades DO NOT MODIFY THIS FILE

and rather provide your changes in /etc/fail2ban/jail.local

#

Author: Yaroslav O. Halchenko <debian@onerussian.com>

#

$Revision: 281 $

#

The DEFAULT allows a global definition of the options. They can be override

in each jail afterwards.

[DEFAULT]

"ignoreip" can be an IP address, a CIDR mask or a DNS host

ignoreip = 127.0.0.1 75.174.57.33

bantime = 864000

maxretry = 2

"backend" specifies the backend used to get files modification. Available

options are "gamin", "polling" and "auto".

yoh: For some reason Debian shipped python-gamin didn't work as expected

This issue left ToDo, so polling is default backend for now

backend = polling

#

Destination email address used solely for the interpolations in

jail.{conf,local} configuration files.

destemail = root@localhost

Default action to take: ban only

action = iptables[name=%(name)s, port=%(port)s]

Following actions can be chosen as an alternatives to the above action.

To activate, just copy/paste+uncomment chosen 2 (excluding comments) lines

into jail.local

Default action to take: ban & send an e-mail with whois report

to the destemail.

action = iptables[name=%(name)s, port=%(port)s]

mail-whois[name=%(name)s, dest=%(destemail)s]

Default action to take: ban & send an e-mail with whois report

and relevant log lines to the destemail.

action = iptables[name=%(name)s, port=%(port)s]

mail-whois-lines[name=%(name)s, dest=%(destemail)s, logpath=%(logpath)s]

Next jails corresponds to the standard configuration in Fail2ban 0.6

which was shipped in Debian. Please enable any defined here jail by including

#

[SECTION_NAME]

enabled = true

#

in /etc/fail2ban/jail.local.

#

[ssh]

enabled = false

port = ssh

filter = sshd

logpath = /var/log/auth.log

maxretry = 2

#

HTTP servers

#

[apache]

enabled = false

port = http

filter = apache-auth

logpath = /var/log/apache/access.log

maxretry = 6

#

FTP servers

#

[vsftpd]

enabled = false

port = ftp

filter = vsftpd

logpath = /var/log/auth.log

maxretry = 6

#

Mail servers

#

[postfix]

enabled = false

port = smtp

filter = postfix

logpath = /var/log/postfix.log

[sasl]

enabled = false

port = smtp

filter = sasl

logpath = /var/log/mail.log

````

This file was composed for Debian systems from the original one

provided now under /usr/share/doc/fail2ban/examples/jail.conf

for additional examples.

Patch-happy distros? <url url="http://www.metasploit.com/users/hdm/tools/debian-openssl/">~~[](http://www.metasploit.com/users/hdm/tools/debian-openssl/)~~[OpenSSL](http://www.metasploit.com/users/hdm/tools/debian-openssl/)</url>? What?

[bind-ddos]
enabled = true
filter = bind-ddos
action = iptables[name=bind-ddos, port=53, protocol=udp]
mail-whois-lines[name=bind-ddos, dest=mwalling-f2b, logpath=/var/log/messages]
logpath = /var/log/messages
maxretry = 3
findtime = 60
bantime = 86400
````

I put your [bind-ddos] in jail.local and created a bind-ddos.conf in filter.d/ but I just got some funky errors.

> File "/usr/bin/fail2ban-client", line 375, in __readConfig

ret = self.__configurator.getOptions()

File "/usr/share/fail2ban/client/configurator.py", line 65, in getOptions

return self.__jails.getOptions(jail)

File "/usr/share/fail2ban/client/jailsreader.py", line 64, in getOptions

ret = jail.getOptions()

File "/usr/share/fail2ban/client/jailreader.py", line 77, in getOptions

self.filter.getOptions(self.opts)

File "/usr/share/fail2ban/client/filterreader.py", line 60, in getOptions

self.__opts = ConfigReader.getOptions(self, "Definition", opts, pOpts)

File "/usr/share/fail2ban/client/configreader.py", line 84, in getOptions

v = self.get(sec, option[1])

File "/usr/lib/python2.4/ConfigParser.py", line 525, in get

return self._interpolate(section, option, value, d)

File "/usr/lib/python2.4/ConfigParser.py", line 593, in _interpolate

self.interpolatesome(option, L, rawval, section, vars, 1)

File "/usr/lib/python2.4/ConfigParser.py", line 624, in interpolatesome

raise InterpolationMissingOptionError(

ConfigParser.InterpolationMissingOptionError: Bad value substitution:

section: [Definition]

option : failregex

key : _prefixline

rawval : client : query (cache) './NS/IN' denied

I think I'll just give up.