• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Issue Named attack

EnriqueR

EnriqueR

Regular Pleskian
I am having a problem with my Plesk server since for a few weeks it is being attacked using brute force in named. I have noticed that in the file '/var/log/messages' the following line appears thousands of times:

Nov 22 16:43:04 myserver named[571]: client x.x.x.x#49784: query (cache) 'domain.com/A/IN' denied
Nov 22 16:43:04 myserver named[571]: client x.x.x.x#49784: query (cache) 'domain.com/A/IN' denied
...

Most domain.com logged no longer exist in my VPS.
I have seen in a forum that adding the following content in the file '/etc/named.conf' solves the problem:

Code: 
options{
...
allow-query-cache { none; };
recursion no;
additional-from-auth no;
additional-from-cache no;
minimal-responses yes;
...
}

But I can not modify this file because on entering it says:

#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED

I created two filter rules in fail2ban (named-refused-tcp, named-refused-udp) explained here and working ok:

https://talk.plesk.com/threads/dns-recurcion-problem-or-attack.312799/

But although it works, it does not stop filtering different IPs without limit. It currently has 1500 and up. According to the modification I indicated above in named.conf, this attack would be solved without having to work fail2ban, which is much more effective.

How can I modify the named.conf file? Or if you have another solution to mitigate the attack ...
 
@EnriqueR

The problem with Fail2Ban is that it is

- iptables based,
- allowing bans during a specific period of time (hence requiring resources to keep track of IPs to ban and IPs banned)

implying that both Fail2Ban and any iptables based firewall can become a bottleneck, or even a cause of problems.

One can configure Fail2Ban to use a custom jail and filter, in order to block really bad IPs in the /etc/hosts.deny file: this is a quick and efficient fix.

One can also configure named by using the "include" statement in the named.conf file, which allows you to put your modifications in a separate file.

In my opinion, the "hosts.deny" option is the most efficient, if and only if the bad IPs are blocked for a very long period (consider a ban period of 1 year).

Hope this helps a bit.

Regards......
 
trialotto said:
@EnriqueR

The problem with Fail2Ban is that it is

- iptables based,
- allowing bans during a specific period of time (hence requiring resources to keep track of IPs to ban and IPs banned)

implying that both Fail2Ban and any iptables based firewall can become a bottleneck, or even a cause of problems.

One can configure Fail2Ban to use a custom jail and filter, in order to block really bad IPs in the /etc/hosts.deny file: this is a quick and efficient fix.

One can also configure named by using the "include" statement in the named.conf file, which allows you to put your modifications in a separate file.

In my opinion, the "hosts.deny" option is the most efficient, if and only if the bad IPs are blocked for a very long period (consider a ban period of 1 year).

Hope this helps a bit.

Regards......
Click to expand...

@trialotto I can not use "hosts.deny" because IPs are constantly changing between attacks. And I can not include nothing in the named.conf file because it clearly states that is generated automatically.

:(:(
 
@EnriqueR

Using Fail2Ban to write to hosts.deny will allow you to (automatically) update the hosts.deny file (read: add and delete IPs, according to the Fail2Ban jail and filter specifications).

So, IP changes are not that relevant: they simply result in another line in the hosts.deny file.

Regards.....
 
You must log in or register to reply here.

Similar threads

Jürgen_T
Question Massive Brute-Force Attacks on Plesk Panel – Looking for Additional Protection Measures
Replies
15
Views
2K
Franky H
F
brother4
Question Why isn't xmlrpc.php monitored by the WordPress jail in Fail2Ban?
Replies
8
Views
2K
Maarten
M
wakabayashi
Resolved Fail2Ban - Postfix not working for SASL (bug?)
Replies
4
Views
2K
mizar
mizar
O
Resolved Brute Force Attack
Replies
10
Views
3K
mar-ek
M
tethis IT
Resolved Loads of messages "named[...]: network unreachable resolving '...': 2001:7fe::53#53"
Replies
2
Views
13K
Alban Staehli
A
Back
Top