CentOS - Mar 2014 - logwatch named logs

ever since implementing the no-recursion-on-outside queries fix on one 
of my name servers, my logwatch emails have been 10-20MB/day, filled 
with crud like...

     client 10.191.192.212 query (cache) 'm.777.liyuanxi.com/A/IN'
denied: 1 Time(s)
     client 10.192.34.96 query (cache) 'dyjwntl.www.0411gogo.com/A/IN'
denied: 1 Time(s)
     client 10.192.43.105 query (cache) 'doitxwx.777.liyuanxi.com/A/IN'
denied: 1 Time(s)
     client 10.192.90.161 query (cache) 'v.www.90uc.com/A/IN' denied: 1
Time(s)


any idea how to suppress this?  this is centos 5.latest with bind 9.7


-- 
john r pierce                                      37N 122W
somewhere on the middle of the left coast

> any idea how to suppress this?  this is centos 5.latest with bind 9.7
A local override, copy the named conf and move the regex that is
counting those events up to the ignore section.

Am 13.03.2014 um 12:17 schrieb John R Pierce <pierce at
hogranch.com>:
> ever since implementing the no-recursion-on-outside queries fix on one 
> of my name servers, my logwatch emails have been 10-20MB/day, filled 
> with crud like...
> 
>     client 10.191.192.212 query (cache) 'm.777.liyuanxi.com/A/IN'
denied: 1 Time(s)
>     client 10.192.34.96 query (cache)
'dyjwntl.www.0411gogo.com/A/IN' denied: 1 Time(s)
>     client 10.192.43.105 query (cache)
'doitxwx.777.liyuanxi.com/A/IN' denied: 1 Time(s)
>     client 10.192.90.161 query (cache) 'v.www.90uc.com/A/IN'
denied: 1 Time(s)
> 
> 
> any idea how to suppress this?  this is centos 5.latest with bind 9.7


cp /usr/share/logwatch/scripts/services/named
/etc/logwatch/scripts/services/named

and make your modifications in /etc/logwatch/scripts/services/named

--
LF

On 03/13/2014 12:17 PM, John R Pierce wrote:
> ever since implementing the no-recursion-on-outside queries fix on one
> of my name servers, my logwatch emails have been 10-20MB/day, filled
> with crud like...
>
>       client 10.191.192.212 query (cache) 'm.777.liyuanxi.com/A/IN'
denied: 1 Time(s)
>       client 10.192.34.96 query (cache)
'dyjwntl.www.0411gogo.com/A/IN' denied: 1 Time(s)
>       client 10.192.43.105 query (cache)
'doitxwx.777.liyuanxi.com/A/IN' denied: 1 Time(s)
>       client 10.192.90.161 query (cache) 'v.www.90uc.com/A/IN'
denied: 1 Time(s)
>
>
> any idea how to suppress this?  this is centos 5.latest with bind 9.7
>
>
I added this to Named config:

         channel security_file {
                 file "/var/log/named/security.log" versions 3 size
30m;
                 severity dynamic;
                 print-time yes;
		};

And applied fail2ban:

jail.local:

  IMPORTANT: see filter.d/named-refused for instructions to enable logging
# This jail blocks TCP traffic for DNS requests.
[named-refused-udp]
enabled  = true
filter   = named-refused
action   = shorewall
            sendmail[name=Named-udp, dest=admin at mail, 
sender=chiron at mail, sendername="Fail2Ban-named-re
fused-udp"]
#action   = iptables-multiport[name=Named, port="domain,953",
protocol=udp]
#           sendmail-whois[name=Named, dest=admin at mail]
logpath=/var/log/named/security.log
ignoreip = 168.192.0.0/16 172.16.0.0/12 10.0.0.0/8 publicsub/29

# This jail blocks TCP traffic for DNS requests.
[named-refused-tcp]
enabled  = true
filter   = named-refused
action   = shorewall
            sendmail[name=Named-tcp, dest=admin at mail, 
sender=chiron at plnet.rs, sendername="Fail2Ban-named-re
fused-tcp"]
#action   = iptables-multiport[name=Named, port="domain,953",
protocol=tcp]
#           sendmail-whois[name=Named, dest=admin at mail]
logpath  = /var/log/named/security.log
ignoreip = 168.192.0.0/16 172.16.0.0/12 10.0.0.0/8 publicsub/29


Notice that I use shorewall not iptables directly.

That gave me two things, One is reducing logwatch from 2-5MB to 360KB, 
and Second is blocking DDOS attacking IP's from repeating attacks for 
certain amount of time (few days I think).

Too bad fail2ban does not have global attacker database like denyhosts 
does. Global threat needs global defense.



-- 
Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

StarOS, Mikrotik and CentOS/RHEL/Linux consultant

On 3/13/2014 4:17 AM, John R Pierce wrote:
> ... 10-20MB daily logs of
>       client 10.191.192.212 query (cache) 'm.777.liyuanxi.com/A/IN'
denied: 1 Time(s)
>       client 10.192.34.96 query (cache)
'dyjwntl.www.0411gogo.com/A/IN' denied: 1 Time(s)
>       client 10.192.43.105 query (cache)
'doitxwx.777.liyuanxi.com/A/IN' denied: 1 Time(s)
>       client 10.192.90.161 query (cache) 'v.www.90uc.com/A/IN'
denied: 1 Time(s)
ok, let me rephrase this question.

how do I stop named (bind97 from CentOS 5.10) from logging those 
specific events at all?    there were 1.2 million of these yesterday.    
no, fail2ban won't work,. no 2 came from the same IP.   afaik, these are 
attempts at cache poisoning, which I've disabled.


-- 
john r pierce                                      37N 122W
somewhere on the middle of the left coast