There is a good reason if CentOS did not upgrade to this version....
On Thu, Jun 9, 2011 at 3:18 PM,
If your goal is to reduce the load on your server,
I would install something like fail2ban and configure
it to watch your pdns logs. It pattern matches, so it
should be trivial to do so. It can dynamically modify
iptables rules to block requests from an "offending" IP.
I wouldn't recommend doing an upgrade to your software
(especially to a release candidate) while under "attack."
On Thu, Jun 9, 2011 at 3:25 PM,
iptables on Linux allows filtering on string matches, try:
# iptables -A INPUT -m string --string 'keyword' -j DROP
This can be quite effective.
You should also set: log-dns-details=off
Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that
makes too many password failures. It updates firewall rules to reject the IP address.
Be aware, however that inserting thousands of firewall entries may
severely hinder server performance. We've been under such attacks
before and gathered 35000+ IPs in a short period of time. (I have
created a small script with creates multi-level firewall tables for /8
/16 and /24 nets to spare huge amounts of lookups, if anyone
insterested drop me a mail, I didn't have the time to "finish/polish"
it and put online.)
The other problem is that in some cases the attack zombies are all
one-shot: no point to firewall them because they do not come again.
You have to check their pattern, whether they are repeating (in that
case you can firewall them), or originate from the same subnets/AS
numbers (in that case simply firewalling these nets could help, and
you most probably won't miss china and romania for a week, I don't
miss some chinese subnets for years ;->).
But in general pdns should handle well hundred thousands of such
requests on recent hardware, just switch off logging them.
#$Id: timed_firewall.sh,v 4457f70a8d8a 2011/06/10 21:28:20 grin $
# (C)Peter Gervai <grin*grin.hu>, 2009-2011.
# Released under GNU/GPL v2 or later.
# firewall user and remove it after a specific time
# uses hierarchical chains to reduce lookup times
# depends on 'at' command
# requires a few iptables kernel modules and userspace support
# error checking is pretty... lax...
# default firewalling duration
if [ "$IP" == "" ]; then
echo " "
echo "Usage: $0 <ip> [<interval>] interval defaults to $DEF_INT"
echo "Example: $0 126.96.36.199 '2 weeks'"
echo " "
if [ "$INTERVAL" == "" ]; then INTERVAL="$DEF_INT"; fi
## check environment
if `$IPTABLES -L $FWBASE 2>&1 | grep -q 'No chain'`; then
# no fw structure exists
#echo -e "\nNo firewall structure: don't forget $IPTABLES -I INPUT -j $FWBASE\n"
$IPTABLES -N $FWBASE
$IPTABLES -A INPUT -j $FWBASE -m comment --comment 'added $DATE'
# get subchains by first and second octet of the IP
IP1=`echo "$IP" | cut -d. -f1`
IP2=`echo "$IP" | cut -d. -f2`
XIP1=`printf "%02x" $IP1`
XIP2=`printf "%02x" $IP2`
## check top level fw (x.x.x.x/8)
if `$IPTABLES -L $CHAIN1 2>&1 | grep -q 'No chain'`; then
# create octet1 subchain
$IPTABLES -N $CHAIN1
$IPTABLES -I $FWBASE -j $CHAIN1 -s "$IP188.8.131.52/8" -m comment --comment "$DATE"
## check 2nd level fw (x.x.x.x/16)
if `$IPTABLES -L $CHAIN2 2>&1 | grep -q 'No chain'`; then
# create octet2 subchain
$IPTABLES -N $CHAIN2
$IPTABLES -I $CHAIN1 -j $CHAIN2 -s "$IP1.$IP2.0.0/16" -m comment --comment "$DATE"
## do the job
# firewall the IP in its subchain
$IPTABLES -I $CHAIN2 -s $IP -j DROP -m comment --comment "fw $DATE; exp $INTERVAL"
# put future removal in the 'at' queue
echo "$IPTABLES -D $CHAIN2 -s $IP -j DROP -m comment --comment 'fw $DATE; exp $INTERVAL'" | \
at "now + $INTERVAL" 2> /dev/null
# inform the monkey at the keyboard ;-)
echo "IP number $IP is firewalled for $INTERVAL"
echo " ($FWBASE->$CHAIN1->$CHAIN2)"
Users browsing this forum: No registered users and 1 guest