Configuring Fail2Ban for Bind9

Suppose Fail2Ban is already installed, if not, then see my article – Installing and Configuring Fail2ban.

By default, Bind9 does not write logs, so open its configuration file in any text editor:

sudo nano /etc/bind/named.conf

And add:

logging {
    channel security_file {
        file "/var/log/named/security.log" versions 3 size 30m;
        severity dynamic;
        print-time yes;
    };
    category security {
        security_file;
    };
};

Restart Bind9 to apply the changes:

sudo /etc/init.d/bind9 restart

Make sure that the file /var/log/named/security.log was created.

Now open the configuration file Fail2Ban:

sudo nano /etc/fail2ban/jail.conf

We find the following filter parameters for TCP connections:

[named-refused-tcp]

enabled  = false
port     = domain,953
protocol = tcp
filter   = named-refused
logpath  = /var/log/named/security.log

Change “false” to “true”.

Also in the configuration should be the following parameters for UDP connections:

[named-refused-udp]

enabled  = false
port     = domain,953
protocol = udp
filter   = named-refused
logpath  = /var/log/named/security.log

It is better not to use them and activate them in extreme cases, since in a UDP message you can specify any source IP address that attackers can use by specifying your IP addresses, after which Fail2Ban will block them.

In Fail2Ban there is an option “ignoreip” which prohibits blocking of the specified addresses, I recommend to use it, for example:

ignoreip = 127.0.0.1/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

Let’s check:

sudo fail2ban-client status
sudo iptables-save | grep fail2ban

In the file /var/log/fail2ban.log you can see what the Fail2Ban is blocking.

See also my article:
Installing and Configuring DNS Server BIND9

Did my article help you? How about buying me a cup of coffee as an encouragement? Buy me a coffe.

Leave a comment

Leave a Reply