#! /bin/sh /usr/share/dpatch/dpatch-run ## 00_named_refused.dpatch by Yaroslav Halchenko ## ## All lines beginning with `## DP:' are a description of the patch. ## DP: No description. @DPATCH@ diff -urNad trunk~/config/filter.d/named-refused.conf trunk/config/filter.d/named-refused.conf --- trunk~/config/filter.d/named-refused.conf 2007-08-14 19:42:35.000000000 -0400 +++ trunk/config/filter.d/named-refused.conf 2007-08-17 12:36:28.000000000 -0400 @@ -9,10 +9,8 @@ [Definition] -# if you want to catch only login erros from specific daemons, use smth like -#_named_rcodes=(?:REFUSED|SERVFAIL) -# To catch all REFUSED queries only -_named_rcodes=REFUSED +# +# Daemon name _daemon=named # @@ -28,7 +26,6 @@ # Notes.: regex to match the password failures messages in the logfile. # Values: TEXT # -failregex = %(__line_prefix)sunexpected RCODE \(%(_named_rcodes)s\) resolving '.*': #\S+$ - %(__line_prefix)sclient #\S+: query(?: \(cache\))? '.*' denied\s*$ +failregex = %(__line_prefix)sclient #\S+: query(?: \(cache\))? '.*' denied\s*$ diff -urNad trunk~/config/filter.d/named-refused.examples trunk/config/filter.d/named-refused.examples --- trunk~/config/filter.d/named-refused.examples 1969-12-31 19:00:00.000000000 -0500 +++ trunk/config/filter.d/named-refused.examples 2007-08-17 12:36:00.000000000 -0400 @@ -0,0 +1,5 @@ +Jul 24 14:16:55 raid5 named[3935]: client 194.145.196.18#4795: query 'ricreig.com/NS/IN' denied +Jul 24 14:16:56 raid5 named[3935]: client 62.123.164.113#32768: query 'ricreig.com/NS/IN' denied +Jul 24 14:17:13 raid5 named[3935]: client 148.160.29.6#33081: query (cache) 'geo-mueller.de/NS/IN' denied +Jul 24 14:20:25 raid5 named[3935]: client 148.160.29.6#33081: query (cache) 'shivaree.de/NS/IN' denied +Jul 24 14:23:36 raid5 named[3935]: client 148.160.29.6#33081: query (cache) 'mietberatung.de/NS/IN' denied diff -urNad trunk~/config/jail.conf trunk/config/jail.conf --- trunk~/config/jail.conf 2007-08-14 19:12:48.000000000 -0400 +++ trunk/config/jail.conf 2007-08-17 12:36:00.000000000 -0400 @@ -170,13 +170,13 @@ # with bind9 installation. You will need something like this: # # logging { -# channel lame-servers_file { -# file "/var/log/named/lame-servers.log" versions 3 size 30m; +# channel security_file { +# file "/var/log/named/security.log" versions 3 size 30m; # severity dynamic; # print-time yes; # }; -# category lame-servers { -# lame-servers_file; +# category security { +# security_file; # }; # } # @@ -189,7 +189,7 @@ filter = named-refused action = iptables-multiport[name=Named, port="domain,953", protocol=udp] sendmail-whois[name=Named, dest=you@mail.com] -logpath = /var/log/named/lame-servers.log +logpath = /var/log/named/security.log ignoreip = 168.192.0.1 # This jail blocks TCP traffic for DNS requests. @@ -200,6 +200,6 @@ filter = named-refused action = iptables-multiport[name=Named, port="domain,953", protocol=tcp] sendmail-whois[name=Named, dest=you@mail.com] -logpath = /var/log/named/lame-servers.log +logpath = /var/log/named/security.log ignoreip = 168.192.0.1