Support for security such as Firewalls and securing linux
-
agriz
- Posts: 267
- Joined: 2011/11/19 15:17:40
Post
by agriz » 2015/06/13 23:09:53
Hi
I got a mail from my service provider saying "Open recursive resolver used for an attack: IP-ADDRESS"
As a quick fix,
options {
listen-on port 53 { 127.0.0.1; my-server-ip-address; };
...
}
It was before
options {
listen-on port 53 { any; };
}
Will it solve the problem?
Code: Select all
listen-on port 53 { 127.0.0.1; ip; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query {
any;
};
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "..."; //there is some directory path
managed-keys-directory "...."; //there is some directory path
pid-file "..."; //there is some directory path
session-keyfile "..."; //there is some directory path
also-notify {
};
};
Please kindly advice me
-
avij
- Retired Moderator
- Posts: 3046
- Joined: 2010/12/01 19:25:52
- Location: Helsinki, Finland
-
Contact:
Post
by avij » 2015/06/14 04:33:50
No, that probably won't help.
Try adding allow-recursion { localhost; }; to the configuration. Depending on your configuration, you may also need to add your server's IP: allow-recursion { localhost; your-server-ip-address; };
If this name server is used by multiple machines in your network, you may need to allow them as well: allow-recursion { localhost; your-server-ip-address; 192.168.0.0/24; }; (where 192.168.0.x is your local network, adjust appropriately).
-
agriz
- Posts: 267
- Joined: 2011/11/19 15:17:40
Post
by agriz » 2015/06/14 07:26:10
avij wrote:No, that probably won't help.
Try adding allow-recursion { localhost; }; to the configuration. Depending on your configuration, you may also need to add your server's IP: allow-recursion { localhost; your-server-ip-address; };
If this name server is used by multiple machines in your network, you may need to allow them as well: allow-recursion { localhost; your-server-ip-address; 192.168.0.0/24; }; (where 192.168.0.x is your local network, adjust appropriately).
Sir,
I turned off recursion.
recursion no; is given in the options now.
I have one dedicated server and i run three websites. All are sharing the same ip address.
Can i still add the lines you mentioned for
options { ?
-
agriz
- Posts: 267
- Joined: 2011/11/19 15:17:40
Post
by agriz » 2015/06/14 07:40:36
Sir,
I tried to see the connections list.
But it does not look like i have hit by ddos.
Is there anyway to check?
Code: Select all
ps -aux|grep HTTP|wc -l
1
netstat -lpn|grep :80 |awk '{print $5}'|sort
0.0.0.0:*
-
TrevorH
- Site Admin
- Posts: 33224
- Joined: 2009/09/24 10:40:56
- Location: Brighton, UK
Post
by TrevorH » 2015/06/14 11:00:59
DNS uses UDP and TCP port 53 not port 80.
-
agriz
- Posts: 267
- Joined: 2011/11/19 15:17:40
Post
by agriz » 2015/06/14 11:19:49
Code: Select all
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort
I tried this command.
Is it okay to use?
11 0.0.0.0
37 127.0.0.1
There are about 20 ips listed 1 before them
about 10 ips listed 2 and 3 before them
4 ip (about 4 to 5)
5 ip (about 4 to 5)
6 ip (about 3)
-
TrevorH
- Site Admin
- Posts: 33224
- Joined: 2009/09/24 10:40:56
- Location: Brighton, UK
Post
by TrevorH » 2015/06/14 11:29:24
If you were under attack then just running tcpdump not port 22 -n -nn -l -i ethX would show you dozens of packets arriving and leaving. The "not port 22" is there in case you are connected over ssh and is to stop it looping when it dumps packets to port 22 about the packets it just saw... and obviously ethX needs amending to your real interface name.
-
agriz
- Posts: 267
- Joined: 2011/11/19 15:17:40
Post
by agriz » 2015/06/14 11:37:16
TrevorH wrote:If you were under attack then just running tcpdump not port 22 -n -nn -l -i ethX would show you dozens of packets arriving and leaving. The "not port 22" is there in case you are connected over ssh and is to stop it looping when it dumps packets to port 22 about the packets it just saw... and obviously ethX needs amending to your real interface name.
Sir, You are talking highly technical and it is difficult for me to understand. I read more than few times and it is difficult to understand.
My sshd port is not 22. I changed it to something else.
-
TrevorH
- Site Admin
- Posts: 33224
- Joined: 2009/09/24 10:40:56
- Location: Brighton, UK
Post
by TrevorH » 2015/06/14 11:49:28
Then exclude the changed ssh port in my command to the one you used.