2013-10-30 13:02:59 +00:00
|
|
|
# Fail2Ban filter file for named (bind9).
|
2007-08-08 22:21:15 +00:00
|
|
|
#
|
2013-10-30 13:02:59 +00:00
|
|
|
|
|
|
|
# This filter blocks attacks against named (bind9) however it requires special
|
|
|
|
# configuration on bind.
|
2007-08-08 22:21:15 +00:00
|
|
|
#
|
2013-10-30 13:02:59 +00:00
|
|
|
# By default, logging is off with bind9 installation.
|
2007-08-08 22:21:15 +00:00
|
|
|
#
|
2013-10-30 13:02:59 +00:00
|
|
|
# You will need something like this in your named.conf to provide proper logging.
|
2007-08-08 22:21:15 +00:00
|
|
|
#
|
2013-10-30 10:12:16 +00:00
|
|
|
# logging {
|
|
|
|
# channel security_file {
|
|
|
|
# file "/var/log/named/security.log" versions 3 size 30m;
|
|
|
|
# severity dynamic;
|
|
|
|
# print-time yes;
|
|
|
|
# };
|
|
|
|
# category security {
|
|
|
|
# security_file;
|
|
|
|
# };
|
|
|
|
# };
|
2007-08-08 22:21:15 +00:00
|
|
|
|
|
|
|
[Definition]
|
|
|
|
|
2007-08-27 21:03:33 +00:00
|
|
|
# Daemon name
|
2022-06-21 12:15:38 +00:00
|
|
|
_daemon=named(?:-\w+)?
|
2007-08-08 22:21:15 +00:00
|
|
|
|
|
|
|
# Shortcuts for easier comprehension of the failregex
|
2013-10-30 13:02:59 +00:00
|
|
|
|
2007-08-08 22:21:15 +00:00
|
|
|
__pid_re=(?:\[\d+\])
|
|
|
|
__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
|
|
|
|
__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
|
2013-10-30 13:02:59 +00:00
|
|
|
|
2022-11-03 10:41:21 +00:00
|
|
|
_category = (?!error|info)[\w-]+
|
|
|
|
_category_re = (?:%(_category)s: )?
|
|
|
|
|
2007-08-08 22:21:15 +00:00
|
|
|
# hostname daemon_id spaces
|
|
|
|
# this can be optional (for instance if we match named native log files)
|
2022-11-03 10:41:21 +00:00
|
|
|
__line_prefix=\s*(?:\S+ %(__daemon_combs_re)s\s+)?%(_category_re)s
|
2007-08-08 22:21:15 +00:00
|
|
|
|
2024-03-25 15:26:34 +00:00
|
|
|
prefregex = ^%(__line_prefix)s(?:(?:error|info):\s*)?client(?: @\S*)? <HOST>#\S+(?: \([\S.]+\))?: <F-CONTENT>.+</F-CONTENT>\s(?:denied(?: \([^\)]*\))?|\(NOTAUTH\))\s*$
|
2017-02-21 14:54:59 +00:00
|
|
|
|
2019-07-29 11:14:04 +00:00
|
|
|
failregex = ^(?:view (?:internal|external): )?query(?: \(cache\))?
|
|
|
|
^zone transfer
|
|
|
|
^bad zone transfer request: '\S+/IN': non-authoritative zone
|
2013-08-28 02:32:40 +00:00
|
|
|
|
2014-11-12 09:30:28 +00:00
|
|
|
ignoreregex =
|
|
|
|
|
2013-10-30 13:02:59 +00:00
|
|
|
# DEV Notes:
|
|
|
|
# Trying to generalize the
|
|
|
|
# structure which is general to capture general patterns in log
|
|
|
|
# lines to cover different configurations/distributions
|
|
|
|
#
|
|
|
|
# Author: Yaroslav Halchenko
|