Hello - I am trying to block DNS ANY amplification attacks. My recursive (they have to be) DNS servers are seeing hundreds of thousands of queries like the ones below. The client IP addresses are all different and likely forged.
28-Dec-2015 09:12:31.290 queries: client 176.90.14.49#12504: query: turkey.com IN ANY +E (w.x.y.z) 28-Dec-2015 09:12:31.308 queries: client 141.196.216.227#47554: query: turkey.com IN ANY +E (w.x.y.z) ...... Example of iptables rule that works -A RH-Firewall-1-INPUT -p udp --dport 53 -m string --algo bm --hex-string "|06|turkey|03|com" -j DROP I can also write the rule looking for the hex equivalent of turkey.com, but it is easier (for me writing the rules manually) to use the format above. Any way to automate my manual working using fail2ban? I think I can write the regex to find the domain. I just done see any examples of how I might convert that to the desired output. Bob Roswell brosw...@syssrc.com 410-771-5544 ext 4336 Computer Museum Highlights<http://museum.syssrc.com/>
------------------------------------------------------------------------------
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
