Thank you, everyone for your I'll test the log queries today on my testing environment if I can get fail2ban to work with this log I will keep you inform. The reason I want to use fail2ban is to automate the process of banning the ip without having to manually create iptable rules by hand and then manage them each time I have to add one. If this doesn't work I'll test the iptables based on time.
Thank you! Dominick -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of W.C.A. Wijngaards Sent: Thursday, February 02, 2012 4:27 AM To: [email protected] Subject: Re: [Unbound-users] Unbound Logging -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/02/2012 09:53 AM, Oliver Peter wrote: > On Wed, Feb 01, 2012 at 05:24:50PM -0600, Mark Felder wrote: >> On 01.02.2012 10:49, Dominick Rivard wrote: >>> I am using Unbound to serve a public DNS server and I am looking for >>> a way to prevent bot or server degrading my service by requesting >>> the same domain name like 10 times per seconds. I thought of using >>> fail2ban but for that I need to get the ip of the requester >>> somewhere in the log, so I tried analyzing the log and changed the >>> verbosity of the logging with unbound-control, but still I don???t >>> find anything yet that I could use for this purpose. >> On BSD I'd say use a pf rule to block the IP for a time period if X >> many concurrent states to port 53. Is something like that possible >> with iptables on Linux? > > That would work on a general denial of service scenario (rate > limiting) but the OP wanted to block the client after X connections to > the same domain and with pf (and probably iptables) you cannot log the > requested domainname; you will need some userlevel magic here. if you set log-queries: yes then it logs: time, IP, name, type, class and this you can maybe use as input to that userlevel script. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPKlbeAAoJEJ9vHC1+BF+NvuoQALHIRMK9Y2/s/fcBVL0iBX25 rwefa+9IGTma+QnmD0RKjZbM2IxRMLIO5o8CTNCLgnr7vhezWSi9PE8US3jsA6lm Bo/QSjyjYbPyXiur5nIF5XgM4JuAvL13D2EB/C1nrYoK3VQTAYSD3qsnyjXLkHUI t/hTgqgNnqA7WLfGKA9jr6uqYkTsDIT3UEP7ENTkssH1nHCaO4h+ZFKikKo8P9Ql Ou0+jOBSn75p4E6RUwEQGvRlIpLD/D3T64+upc6u9bjwMiI8+OCguOq+Z6js75mQ vPbxdEkjjKIxgoeghmj+9Qfheser0xXgkcNYj5sdY4wGQNyuLLMNgglGBmYGLPdV cLozbK66Sd+RcdTd/mk9aUuB28gNjlkXjAHGDy+5WGc4Cp0nrIUtiNrps1jDbY8A r7RwAz40tzrxiigOPT3m2s4wQ7D38itAO1x2wPKKx2Nat8/yzt9wndscNQ5iwOKG DnuPzsY1SHyeLZFyeBrx6KEQQ/nvEDnI0K+jwjzwgG4h8MfVylA5nBhpdklYmsDy LReCzb/6FCzCdnfrPGhRYOuoBMdLZFNThbxjvd87uhlhe/gqDn9fEPQ4yYf9IBOL 3phYEenvplJQPyLuerop24IxIu3lTS8VwcbRwMZwyoPqjtv2Z2V5+6AmSEjH8iLQ axep8ZGlmmISRtXBOgof =Iy6b -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
