Rev 3 | Blame | Compare with Previous | Last modification | View Log | RSS feed
# Fail2Ban filter file for named (bind9).## This filter blocks attacks against named (bind9) however it requires special# configuration on bind.## By default, logging is off with bind9 installation.## You will need something like this in your named.conf to provide proper logging.## logging {# channel security_file {# file "/var/log/named/security.log" versions 3 size 30m;# severity dynamic;# print-time yes;# };# category security {# security_file;# };# };[Definition]# Daemon name_daemon=named# Shortcuts for easier comprehension of the failregex__pid_re=(?:\[\d+\])__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)# hostname daemon_id spaces# this can be optional (for instance if we match named native log files)__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?failregex = ^%(__line_prefix)s( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$^%(__line_prefix)s( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: zone transfer '\S+/AXFR/\w+' denied\s*$^%(__line_prefix)s( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$ignoreregex =# DEV Notes:# Trying to generalize the# structure which is general to capture general patterns in log# lines to cover different configurations/distributions## Author: Yaroslav Halchenko