Question Log Browser - lot of client [ip]#53 "sl": query (cache) 'sl/ANY/IN' denied

[malware]

Server operating system version

CentOS Linux 7.9.2009 (Core)

Plesk version and microupdate number

Plesk Obsidian 18.0.48

Hi all,

during last days I checked Log Browser and I find lot of this messages:

2022-11-10 11:13:15

INFO

named [8769] System daemons [3]

client @0x7fcbc81063a0 [ip]#53 (sl): query (cache) 'sl/ANY/IN' denied

For example, from 10/11/2022 00:00:02 to 10/11/2022 00:48:15 I have got exactly 1.000 requests. All messages are identical differing only by IP address.
I checked and I have got requests from 47 different IP address. One IP address have made 2 requests, another 67, another 7, and this considering only one hour this night.

I checked and all IP are reported to AbuseIP portal.

My question is: should I block this kind of request? If I block them, I'll save resources?
Furthermore, anyone could explain me what type of requests are and why them are made?

Thank you in advance, I appreciate your support.
Marco

 

[IgorG]

This discussion may be useful to you.

 

[malware]

Thank you.
So, can you confirm me that I should block the requests because are attacks?

 

[IgorG]

So, can you confirm me that I should block the requests because are attacks?

Yes, I use these fail2ban jails on my personal Plesk server.

 

[malware]

Thank you.
I have added two jails as follow:

[named-refused-tcp]
enabled = true
filter = apache-auth
action = iptables-multiport[chain="INPUT", name="Named-tcp", port="domain,953", protocol="tcp", returntype="RETURN", lockingopt="-w"]
logpath = /var/www/vhosts/system/*/logs/error_log
maxretry = 3

[named-refused-udp]
enabled = true
filter = name-refused
action = iptables-multiport[chain="INPUT", name="Named", port="domain,953", protocol="udp", returntype="RETURN", lockingopt="-w"]
logpath = /var/www/vhosts/system/*/logs/error_log
maxretry = 3

The filter name-refused is the following (when I paste from github, it changes?):

[Definition]
_daemon = named(?:-\w+)?
__pid_re = (?:\[\d+\])
__daemon_re = \(?%(_daemon)s(?:\(\S+\))?\)?:?
__daemon_combs_re = (?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?
__line_prefix = \s*(?:\S+ %(__daemon_combs_re)s\s+)?%(_category_re)s
failregex = ^(?:view (?:internal|external): )?query(?: \(cache\))?
^zone transfer
^bad zone transfer request: '\S+/IN': non-authoritative zone
_category = (?!error|info)[\w-]+
_category_re = (?:%(_category)s: )?
prefregex = ^%(__line_prefix)s(??:error|info):\s*)?client(?: @\S*)? <HOST>#\S+(?: \([\S.]+\))?: <F-CONTENT>.+</F-CONTENT>\s(?:denied|\(NOTAUTH\))\s*$
ignoreregex =

But attacks are not blocked. Can you please report me where is the error?

Thank you again.

PS: I have already restarted fail2ban service.

 

[malware]

I edited and corrected jails as follow, but not working.

[named-refused-tcp]
enabled = true
filter = name-refused
action = iptables-multiport[chain="INPUT", name="Named-tcp", port="domain,953", protocol="tcp", returntype="RETURN", lockingopt="-w"]
logpath = /var/www/vhosts/system/*/logs/error_log
maxretry = 3

[named-refused-udp]
enabled = true
filter = name-refused
action = iptables-multiport[chain="INPUT", name="Named", port="domain,953", protocol="udp", returntype="RETURN", lockingopt="-w"]
logpath = /var/www/vhosts/system/*/logs/error_log
maxretry = 3

 

[IgorG]

On my Plesk 18.0.48 CentOS 7:

 

[IgorG]

named-refused filter:

[Definition]
_daemon = named
__pid_re = (?:\[\d+\])
__daemon_re = \(?%(_daemon)s(?:\(\S+\))?\)?:?
__daemon_combs_re = (?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
__line_prefix = (?:\s*\S+ %(__daemon_combs_re)s\s+)?
prefregex = ^%(__line_prefix)s(?: error:)?\s*client(?: @\S*)? <HOST>#\S+(?: \([\S.]+\))?: <F-CONTENT>.+</F-CONTENT>\s(?:denied|\(NOTAUTH\))\s*$
failregex = ^(?:view (?:internal|external): )?query(?: \(cache\))?
    ^zone transfer
    ^bad zone transfer request: '\S+/IN': non-authoritative zone
ignoreregex =

 

[malware]

Thank you.
I edited the filter and now it's identical to yours.

Jails are the following:

[named-refused-tcp]
enabled = true
filter = name-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
logpath = /var/www/vhosts/system/*/logs/error_log
maxretry = 2

[named-refused-udp]
enabled = true
filter = name-refused
action = iptables-multiport[name=Named_udp, port="domain,953", protocol=udp]
logpath = /var/www/vhosts/system/*/logs/error_log
maxretry = 2

But I don't find any IP Address blocked and I have got every minute query (cache) denied.
I don't understand the reason.

If anyone has got any ideas... you are welcome

 

[LevelupMedia]

We have same issue, and we tried filters above but they doesn't work.

 

[IgorG]

Are you sure that these messages

query (cache) 'sl/ANY/IN' denied

are in /var/www/vhosts/system/*/logs/error_log log files?
In my case, they are in /var/log/meggages

 

[malware]

I tried to change the directory to "logpath = /var/log/messages" but it's the same.
However /var/www/vhosts/system/*/logs/error_log this file exist.

 

[IgorG]

You must specify the exact log file in which these messages "....query (cache) 'sl/ANY/IN' denied..." appear.

 

[malware]

I confirm that messages appears in the file "/var/log/messages"

 

[LevelupMedia]

Are you sure that these messages

are in /var/www/vhosts/system/*/logs/error_log log files?
In my case, they are in /var/log/meggages

Thank you for a hint, i've checked and our where in /var/log/syslog, it's working for us now.