Join Log in
Score:0
avatar Server

Bind/Fail2ban how to reject requests from certain domain

in flag
Daniel Franco

Today I got my VPS stucked.
Centos 7, 4 cores, Bind 9.11.
From ssh I got

Message from syslogd@host at Jul 18 09:46:16 ... kernel:NMI watchdog: BUG: soft lockup - CPU#0 stuck for 41s! [f2b/observer:1299]

From another ssh screen leaving top running I got at the end

top - 10:06:05 up 9:22, 1 user, load average: 101,26, 106,77, 94,46
Tasks: 318 total, 80 running, 218 sleeping, 0 stopped, 20 zombie

From /var/log/messages I have several lines like these ones

Jul 18 09:44:04 host named[1078]: client @0x7fb37010e820 192.182.160.249#80 (domain.com): query (cache) 'domain.com/RRSIG/IN' denied
Jul 18 09:44:04 host named[1078]: client @0x7fb37010e820 192.182.160.249#80 (domain.com): query (cache) 'domain.com/RRSIG/IN' denied
Jul 18 09:44:04 host named[1078]: client @0x7fb37010e820 97.100.253.26#3658 (domain.com): query (cache) 'domain.com/RRSIG/IN' denied
Jul 18 09:44:04 host named[1078]: client @0x7fb37011cfc0 192.182.160.249#80 (domain.com): query (cache) 'domain.com/RRSIG/IN' denied
Jul 18 09:44:04 host named[1078]: client @0x7fb370100080 97.100.253.26#3658 (domain.com): query (cache) 'domain.com/RRSIG/IN' denied
Jul 18 09:44:04 host named[1078]: client @0x7fb370100080 192.182.160.249#80 (domain.com): query (cache) 'domain.com/RRSIG/IN' denied

After reseting the server it was all normal but after some hours problems came again.
At this time all is good but tailf /var/log messages outputs

Jul 18 12:33:13 host named[1017]: client @0x7fcde010e820 172.58.188.22#64587 (domain.com): query (cache) 'domain.com/RRSIG/IN' denied
Jul 18 12:33:18 host named[1017]: client @0x7fcde010e820 67.240.44.5#80 (domain.com): query (cache) 'domain.com/RRSIG/IN' denied
Jul 18 12:33:21 host named[1017]: client @0x7fcde010e820 172.58.188.22#64587 (domain.com): query (cache) 'domain.com/RRSIG/IN' denied
Jul 18 12:33:29 host named[1017]: client @0x7fcde010e820 172.58.188.22#64587 (domain.com): query (cache) 'domain.com/RRSIG/IN' denied
Jul 18 12:33:47 host named[1017]: client @0x7fcde010e820 67.240.44.5#80 (domain.com): query (cache) 'domain.com/RRSIG/IN' denied

More spaced in time requests so they don't hurt but after a while... who knows.
How can I reject incoming requests from this known "domain.com" (or others)? This is a small budget server, cannot hire those services preventing DDOS attacks.

I followed these last instructions
I created /etc/named/block and added a zone at /etc/named.conf

It worked, tailf /var/log/messages doesn't list those requests anymore, but I don't know if it is a good idea doing it in that way.

UPDATE: screenshot

128
0 + 5
djdomi avatar
za flag
djdomi
Well, even your server gets 5 million requests, its just a bit of noise, to stop this kind of requests, you have to fix it via fail2ban instead of named
0
Reply
in flag
Daniel Franco
@djdomi I already have installed f2b from scratch. I don't know how to handle that issue with fail2ban. A webpage with 30 thumbnails produces a lot of requests in a short time. I added a screenshot of a crucial part of /var/log/messages.
0
Reply
djdomi avatar
za flag
djdomi
I would suggest to enable rate limits and then use my regex for [fail2ban](https://github.com/djdomi/fail2ban-rules/blob/main/named/named-antispam/named-antispam.conf)
0
Reply
djdomi avatar
za flag
djdomi
then update your question with this information what you have tried too. and also remember that there some standard rules like named-refused-tcp or udp
0
Reply
in flag
Daniel Franco
Soon as I can I will move to another vps and then follow your recommendations. There will be a delay. Thanks.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.