# [solved] fail2ban + iptables on named-refused not working

## noclear2000

hi,

my named daemon is filling my disk with:

```

Aug  9 13:21:56 treehouse named[6200]: client 194.31.241.111#18029 (1x1.cz): query (cache) '1x1.cz/ANY/IN' denied

Aug  9 13:21:56 treehouse named[6200]: client 194.31.241.111#20830 (1x1.cz): query (cache) '1x1.cz/ANY/IN' denied

Aug  9 13:21:57 treehouse named[6200]: client 194.31.241.111#63663 (1x1.cz): query (cache) '1x1.cz/ANY/IN' denied

Aug  9 13:21:57 treehouse named[6200]: client 194.31.241.111#5468 (1x1.cz): query (cache) '1x1.cz/ANY/IN' denied

Aug  9 13:21:57 treehouse named[6200]: client 194.31.241.111#6184 (1x1.cz): query (cache) '1x1.cz/ANY/IN' denied

Aug  9 13:21:57 treehouse named[6200]: client 194.31.241.111#39970 (1x1.cz): query (cache) '1x1.cz/ANY/IN' denied

Aug  9 13:21:57 treehouse named[6200]: client 194.31.241.111#25741 (1x1.cz): query (cache) '1x1.cz/ANY/IN' denied

Aug  9 13:21:57 treehouse named[6200]: client 194.31.241.111#50119 (1x1.cz): query (cache) '1x1.cz/ANY/IN' denied

Aug  9 13:21:58 treehouse named[6200]: client 194.31.241.111#28646 (1x1.cz): query (cache) '1x1.cz/ANY/IN' denied

Aug  9 13:21:58 treehouse named[6200]: client 194.31.241.111#11973 (1x1.cz): query (cache) '1x1.cz/ANY/IN' denied

```

For lots of different IPs. That is a problem. I thought i could make use of fail2ban to get rid of them.

fail2ban banned the IPs according to the log. But the querying goes on and fail2ban says:

```

2013-08-09 13:23:59,781 fail2ban.actions: INFO   [named-refused-tcp] 194.31.241.111 already banned

2013-08-09 13:24:02,784 fail2ban.actions: INFO   [named-refused-tcp] 194.31.241.111 already banned

2013-08-09 13:24:04,786 fail2ban.actions: INFO   [named-refused-tcp] 194.31.241.111 already banned

```

which is true as I can see it in iptables:

```

root@treehouse [~]# iptables -L -n | grep 194.31.241.111

REJECT     all  --  194.31.241.111       0.0.0.0/0            reject-with icmp-port-unreachable

root@treehouse [~]# 

```

This is a new system so I just started configuring. Nothing else yet in iptables. I did set sshd to != 22 so that i do not need to deal with log explosoin there also for now. Before i populate iptables with my rules I'd like to make fail2ban work so that nothing is interfering with it.

After a few minutes some IPs got banned with no effect:

```
root@treehouse [~]# iptables -L -n                      

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

fail2ban-Named  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 53,953

fail2ban-FOPENPHP  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443

fail2ban-BadBots  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443

fail2ban-sasl  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:25

fail2ban-SSHRESC  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:10022

fail2ban-SSH  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

Chain fail2ban-BadBots (1 references)

target     prot opt source               destination         

RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-FOPENPHP (1 references)

target     prot opt source               destination         

RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-Named (1 references)

target     prot opt source               destination         

REJECT     all  --  212.73.87.254        0.0.0.0/0            reject-with icmp-port-unreachable

REJECT     all  --  156.154.98.93        0.0.0.0/0            reject-with icmp-port-unreachable

REJECT     all  --  207.226.173.66       0.0.0.0/0            reject-with icmp-port-unreachable

REJECT     all  --  213.83.21.21         0.0.0.0/0            reject-with icmp-port-unreachable

REJECT     all  --  109.194.113.5        0.0.0.0/0            reject-with icmp-port-unreachable

REJECT     all  --  217.69.133.70        0.0.0.0/0            reject-with icmp-port-unreachable

REJECT     all  --  213.56.26.139        0.0.0.0/0            reject-with icmp-port-unreachable

REJECT     all  --  213.56.26.137        0.0.0.0/0            reject-with icmp-port-unreachable

REJECT     all  --  217.12.192.26        0.0.0.0/0            reject-with icmp-port-unreachable

REJECT     all  --  109.195.96.4         0.0.0.0/0            reject-with icmp-port-unreachable

REJECT     all  --  62.112.98.51         0.0.0.0/0            reject-with icmp-port-unreachable

REJECT     all  --  109.195.48.4         0.0.0.0/0            reject-with icmp-port-unreachable

REJECT     all  --  176.192.224.198      0.0.0.0/0            reject-with icmp-port-unreachable

REJECT     all  --  194.31.241.111       0.0.0.0/0            reject-with icmp-port-unreachable

REJECT     all  --  176.192.224.194      0.0.0.0/0            reject-with icmp-port-unreachable

RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-SSH (1 references)

target     prot opt source               destination         

RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-SSHRESC (1 references)

target     prot opt source               destination         

RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-sasl (1 references)

target     prot opt source               destination         

RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

root@treehouse [~]# 

```

But they still go on querying so they are not relay blocked... Any idea?

Thanks a lot!

CheersLast edited by noclear2000 on Mon Aug 12, 2013 4:28 pm; edited 1 time in total

----------

## broken_chaos

Something similar once happened to me, and it turned out I'd forgotten I'd disabled REJECT support in netfilter. Check if CONFIG_IP_NF_TARGET_REJECT and/or CONFIG_IP6_NF_TARGET_REJECT are set in your kernel config (`grep REJECT /usr/src/linux/.config`).

If they're not set, you can either set them, recompile, and reboot, or change /etc/fail2ban/action.d/iptables-blocktype.conf to have blocktype = DROP instead of REJECT.

----------

## noclear2000

HI broken_chaos,

Thanks a lot! Your reply is relly appreciated. This is driving me nuts. Looks like I have NF_REJECT enabled for IPv4 and as a modules for IPv6:

```

root@treehouse [~]# zgrep -i reject /proc/config.gz 

CONFIG_IP_NF_TARGET_REJECT=y

CONFIG_IP6_NF_TARGET_REJECT=m

root@treehouse [~]#

```

However I am now trying DROP vs REJECT to see if it helps...

Thanks again and cheers,

EDIT1:

Doesn't look like it is working...

It is using DROP:

```

Chain fail2ban-Named (1 references)

target     prot opt source               destination         

DROP       all  --  217.69.133.70        0.0.0.0/0           

DROP       all  --  212.33.225.210       0.0.0.0/0           

RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

```

but to no avail:

```

2013-08-11 01:00:37,022 fail2ban.filter : WARNING Determined IP using DNS Lookup: hsi-kbw-134-3-117-59.hsi14.kabel-badenwuerttemberg.de = ['134.3.117.59']

2013-08-11 01:04:36,175 fail2ban.actions: WARNING [named-refused-tcp] Ban 212.33.225.210

2013-08-11 01:05:40,281 fail2ban.actions: WARNING [named-refused-tcp] Ban 217.69.133.70

2013-08-11 01:05:48,310 fail2ban.actions: INFO   [named-refused-tcp] 217.69.133.70 already banned

```

 :Crying or Very sad: 

----------

## broken_chaos

Oh! I didn't spot it at first, but your fail2ban rules (in the INPUT chain) are only being applied to tcp traffic. As DNS is mostly udp (except for large requests), they're mostly not being blocked. Your configuration for named in fail2ban should, assuming it's using fail2ban's default iptable-multiport action, look something like this: "action = iptables-multiport[name=Named, port="domain,953", protocol=all]" (note the 'protocol=all').

I believe that will fix your problem there.

----------

## noclear2000

Hi again,

stupid me! Yes, you are right. Thanks a lot. However prot=all doesn't work but splitting in two jails for UDP and TCP works just fine.

However the UDP Names jail comes with a warning comment:

```

# !!! WARNING !!!

#   Since UDP is connection-less protocol, spoofing of IP and imitation

#   of illegal actions is way too simple.  Thus enabling of this filter

#   might provide an easy way for implementing a DoS against a chosen

#   victim. See

#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html

#   Please DO NOT USE this jail unless you know what you are doing.

#

# [named-refused-udp]

```

So maybe i have to live with the denied messages... I reviewed my BIND config and too me it seems pretty valid. Sadly it is quite verbose on denied cahe-queries. It blowing up th elogs "a little", maybe a frequent rotation would help. Allowing the DNS cache queries from "any"one is no good idea I assume. That's what some suggest in forums round the net but this is quite likely counter-productive and maybe making me part of some (amplification) attack, right?

but my initial question is solved, thanks a lot broken_chaos! I am going to mark it as solved.  :Smile: 

----------

