Fail2ban bans by IP address. I think you may want to look into Bind views. Have one view for queries that need to be recursive and another view for the rest.
Bill On 12/28/2015 12:20 PM, Bob Roswell wrote: > Hello – > > I am trying to block DNS ANY amplification attacks. My recursive (they > have to be) DNS servers are seeing hundreds of > thousands of queries like the ones below. The client IP addresses are all > different and likely forged. > > 28-Dec-2015 09:12:31.290 queries: client 176.90.14.49#12504: query: > turkey.com IN ANY +E (w.x.y.z) > > 28-Dec-2015 09:12:31.308 queries: client 141.196.216.227#47554: query: > turkey.com IN ANY +E (w.x.y.z) > > …… > > Example of iptables rule that works > > -A RH-Firewall-1-INPUT -p udp --dport 53 -m string --algo bm --hex-string > "|06|turkey|03|com" -j DROP > > I can also write the rule looking for the hex equivalent of turkey.com, but > it is easier (for me writing the rules manually) to > use the format above. > > Any way to automate my manual working using fail2ban? I think I can write > the regex to find the domain. I just done see any > examples of how I might convert that to the desired output. > > Bob Roswell > > brosw...@syssrc.com > > 410-771-5544 ext 4336 > > Computer Museum Highlights <http://museum.syssrc.com/> > > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > Fail2ban-users mailing list > Fail2ban-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > ------------------------------------------------------------------------------ _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
