• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Named attack

EnriqueR

Regular Pleskian
I am having a problem with my Plesk server since for a few weeks it is being attacked using brute force in named. I have noticed that in the file '/var/log/messages' the following line appears thousands of times:

Nov 22 16:43:04 myserver named[571]: client x.x.x.x#49784: query (cache) 'domain.com/A/IN' denied
Nov 22 16:43:04 myserver named[571]: client x.x.x.x#49784: query (cache) 'domain.com/A/IN' denied
...

Most domain.com logged no longer exist in my VPS.
I have seen in a forum that adding the following content in the file '/etc/named.conf' solves the problem:

Code:
options{
...
allow-query-cache { none; };
recursion no;
additional-from-auth no;
additional-from-cache no;
minimal-responses yes;
...
}

But I can not modify this file because on entering it says:

#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED

I created two filter rules in fail2ban (named-refused-tcp, named-refused-udp) explained here and working ok:

https://talk.plesk.com/threads/dns-recurcion-problem-or-attack.312799/

But although it works, it does not stop filtering different IPs without limit. It currently has 1500 and up. According to the modification I indicated above in named.conf, this attack would be solved without having to work fail2ban, which is much more effective.

How can I modify the named.conf file? Or if you have another solution to mitigate the attack ...
 
@EnriqueR

The problem with Fail2Ban is that it is

- iptables based,
- allowing bans during a specific period of time (hence requiring resources to keep track of IPs to ban and IPs banned)

implying that both Fail2Ban and any iptables based firewall can become a bottleneck, or even a cause of problems.

One can configure Fail2Ban to use a custom jail and filter, in order to block really bad IPs in the /etc/hosts.deny file: this is a quick and efficient fix.

One can also configure named by using the "include" statement in the named.conf file, which allows you to put your modifications in a separate file.

In my opinion, the "hosts.deny" option is the most efficient, if and only if the bad IPs are blocked for a very long period (consider a ban period of 1 year).

Hope this helps a bit.

Regards......
 
@EnriqueR

The problem with Fail2Ban is that it is

- iptables based,
- allowing bans during a specific period of time (hence requiring resources to keep track of IPs to ban and IPs banned)

implying that both Fail2Ban and any iptables based firewall can become a bottleneck, or even a cause of problems.

One can configure Fail2Ban to use a custom jail and filter, in order to block really bad IPs in the /etc/hosts.deny file: this is a quick and efficient fix.

One can also configure named by using the "include" statement in the named.conf file, which allows you to put your modifications in a separate file.

In my opinion, the "hosts.deny" option is the most efficient, if and only if the bad IPs are blocked for a very long period (consider a ban period of 1 year).

Hope this helps a bit.

Regards......

@trialotto I can not use "hosts.deny" because IPs are constantly changing between attacks. And I can not include nothing in the named.conf file because it clearly states that is generated automatically.

:(:(
 
@EnriqueR

Using Fail2Ban to write to hosts.deny will allow you to (automatically) update the hosts.deny file (read: add and delete IPs, according to the Fail2Ban jail and filter specifications).

So, IP changes are not that relevant: they simply result in another line in the hosts.deny file.

Regards.....
 
Back
Top