View file File name : named-refused.conf Content :# Fail2Ban filter file for named (bind9). # # This filter blocks attacks against named (bind9) however it requires special # configuration on bind. # # By default, logging is off with bind9 installation. # # You will need something like this in your named.conf to provide proper logging. # # logging { # channel security_file { # file "/var/log/named/security.log" versions 3 size 30m; # severity dynamic; # print-time yes; # }; # category security { # security_file; # }; # }; [Definition] # Daemon name _daemon=named # Shortcuts for easier comprehension of the failregex __pid_re=(?:\[\d+\]) __daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:? __daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:) # hostname daemon_id spaces # this can be optional (for instance if we match named native log files) __line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)? prefregex = ^%(__line_prefix)s(?: error:)?\s*client(?: @\S*)? <HOST>#\S+(?: \([\S.]+\))?: <F-CONTENT>.+</F-CONTENT>\s(?:denied|\(NOTAUTH\))\s*$ failregex = ^(?:view (?:internal|external): )?query(?: \(cache\))? ^zone transfer ^bad zone transfer request: '\S+/IN': non-authoritative zone ignoreregex = # DEV Notes: # Trying to generalize the # structure which is general to capture general patterns in log # lines to cover different configurations/distributions # # Author: Yaroslav Halchenko