disabling entirely named-refused-udp jail with a big fat warning

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@762 a942ae1a-1317-0410-a47c-b1dcaea8d605
2010-06-29 01:38:05 +00:00 · 2010-06-29 01:38:05 +00:00 · 180a98db85
parent 24d8e29ace
commit 180a98db85
1 changed files with 16 additions and 8 deletions
--- a/config/jail.conf
+++ b/config/jail.conf
@ -212,14 +212,22 @@ ignoreip = 168.192.0.1
 # in your named.conf to provide proper logging.
 # This jail blocks UDP traffic for DNS requests.
-[named-refused-udp]
+# !!! WARNING !!!
-
+#   Since UDP is connectionless protocol, spoofing of IP and immitation
-enabled  = false
+#   of illegal actions is way too simple.  Thus enabling of this filter
-filter   = named-refused
+#   might provide an easy way for implementing a DoS against a chosen
-action   = iptables-multiport[name=Named, port="domain,953", protocol=udp]
+#   victim. See
-           sendmail-whois[name=Named, dest=you@mail.com]
+#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
-logpath  = /var/log/named/security.log
+#   Please DO NOT USE this jail unless you know what you are doing.
-ignoreip = 168.192.0.1
+#
 # [named-refused-udp]
 #
 # enabled  = false
 # filter   = named-refused
 # action   = iptables-multiport[name=Named, port="domain,953", protocol=udp]
 #            sendmail-whois[name=Named, dest=you@mail.com]
 # logpath  = /var/log/named/security.log
 # ignoreip = 168.192.0.1
 # This jail blocks TCP traffic for DNS requests.