Blame | Last modification | View Log | RSS feed
# Fail2Ban filter file for named (bind9).## This filter blocks attacks against named (bind9) however it requires special# configuration on bind.## By default, logging is off with bind9 installation.## You will need something like this in your named.conf to provide proper logging.## logging {# channel security_file {# file "/var/log/named/security.log" versions 3 size 30m;# severity dynamic;# print-time yes;# };# category security {# security_file;# };# };[Definition]# Daemon name_daemon=named# Shortcuts for easier comprehension of the failregex__pid_re=(?:\[\d+\])__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)# hostname daemon_id spaces# this can be optional (for instance if we match named native log files)__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?prefregex = ^%(__line_prefix)s(?: error:)?\s*client(?: @\S*)? <HOST>#\S+(?: \([\S.]+\))?: <F-CONTENT>.+</F-CONTENT>\s(?:denied|\(NOTAUTH\))\s*$failregex = ^(?:view (?:internal|external): )?query(?: \(cache\))?^zone transfer^bad zone transfer request: '\S+/IN': non-authoritative zoneignoreregex =# DEV Notes:# Trying to generalize the# structure which is general to capture general patterns in log# lines to cover different configurations/distributions## Author: Yaroslav Halchenko