51 lines
1.5 KiB
Plaintext
51 lines
1.5 KiB
Plaintext
# Fail2Ban filter file for named (bind9).
|
|
#
|
|
|
|
# This filter blocks attacks against named (bind9) however it requires special
|
|
# configuration on bind.
|
|
#
|
|
# By default, logging is off with bind9 installation.
|
|
#
|
|
# You will need something like this in your named.conf to provide proper logging.
|
|
#
|
|
# logging {
|
|
# channel security_file {
|
|
# file "/var/log/named/security.log" versions 3 size 30m;
|
|
# severity dynamic;
|
|
# print-time yes;
|
|
# };
|
|
# category security {
|
|
# security_file;
|
|
# };
|
|
# };
|
|
|
|
[Definition]
|
|
|
|
# Daemon name
|
|
_daemon=named
|
|
|
|
# Shortcuts for easier comprehension of the failregex
|
|
|
|
__pid_re=(?:\[\d+\])
|
|
__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
|
|
__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
|
|
|
|
# hostname daemon_id spaces
|
|
# this can be optional (for getInstance if we match named native log files)
|
|
__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
|
|
|
|
prefregex = ^%(__line_prefix)s( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: <F-CONTENT>.+</F-CONTENT>$
|
|
|
|
failregex = ^(view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$
|
|
^zone transfer '\S+/AXFR/\w+' denied\s*$
|
|
^bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$
|
|
|
|
ignoreregex =
|
|
|
|
# DEV Notes:
|
|
# Trying to generalize the
|
|
# structure which is general to capture general patterns in log
|
|
# lines to cover different configurations/distributions
|
|
#
|
|
# Author: Yaroslav Halchenko
|