fail2ban + dns = fail

Posted by Nico Golde in
Wednesday, May 26. 2010

fail2ban is used by many people to prevent certain types of DoS attacks. I use it myself to reduce trackback spam a little bit.

While this tool becomes quite handy in such situations it is also not generally recommend because you can shoot yourself in the foot. If one of the used filters has a bug and results in incorrect parsing your fail2ban installation might end up banning arbitrary IP addresses or even your own IP range (not even mentioning IP spoofing).
There existed at least two bugs of this kind to my knowledge and since regex might not always be easy I'm sure there will be more in the future.

Since I didn't want to look for a specific regex bug in one of the filters I thought about IP spoofing again and looked at fail2bans filters. What I needed was a filter processing log entries of a service listening on a UDP socket as TCP/IP spoofing over the internet doesn't really work well these days. Finding such a filter would mean an instant win situation. To my surprise there is such a filter: config/filter.d/named.conf

This filter is used to parse log entries consisting of denied DNS queries produced by bind. Interestingly there is even an article at debian-administration describing how to setup fail2ban to mitigate a DNS DDoS attack. This is of course a bad idea and I have no idea why this filter is shipped in a default fail2ban installation. DoSing abritary IP addresses with this filter in use becomes as easy as firing up scapy and querying the server with a forged source IP:

>>> send(IP(dst="81.169.172.197",src="xx.46.63.71")/UDP()/DNS(rd=1,qd=DNSQR(qname="foao.modprobe.de")))
.
Sent 1 packets.

This ends up as:
May 26 22:32:22 modprobe named[30245]: client xx.46.63.71#53: query 'foao.modprobe.de/A/IN' denied

in the bind logs which in turn results in:
2010-05-26 22:32:05,551 fail2ban.actions: WARNING [named-refused] Ban xx.46.63.71

In this example the spoofed IP was xx.46.63.71 which is not under my control.

Mission statement: don't use fail2ban unless you really want to shoot yourself in the foot or know pretty well what you're doing

Comments (4) - Trackbacks (0)

Defined tags for this entry: configuration, debian, fail, fail2ban, security, software

Related entries by tags:

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

I guess I should take all the blame for this:

commit 042e160eeb3d7a09b0bb8dcda92f284bc3889f1d
Author: lostcontrol
Date: Wed Aug 8 22:21:15 2007 +0000

- Added filter file for named (bind9). Thanks to Yaroslav Halchenko

But I wonder why for "bad ... idea why this filter is shipped in a default fail2ban installation" I see no new bug report among

http://bugs.debian.org/cgi-bin/pkgreport.cgi?archive=both;src=fail2ban;submitter=nion%40debian.org

This one indeed should be highly unadvised (and removed from jails.conf shipped with Debian) unless ignoreip can cover the range of valuable not-to-DoS for sure IPs ... or may be there is another precaution (matching incoming IPs based on interfaces on gateways etc) you have in mind?

anyways, awaiting for a bug report

P.S. I still consider 'rm' to be the most dangerous command of all times... god bless zsh and its protective powers

#1 Yaroslav Halchenko (Homepage) on 2010-05-27 06:27 (Reply)

excuse my lazyness, I was too lazy to report this as a bug. Imho the whole fail2ban package should ship with a big fat warning for unexperienced users. anyway, I filed one now.

@zsh, I do agree

Even though I once rmed my /etc when trying to show the zsh asking for the deletion and I missed that it only does on /etc/*

#1.1 nion on 2010-05-27 13:07 (Reply)

"for unexperienced users" I bet noone really would run a serious targetted DoS attack, but some automated script junkies looking looking for easy targets and doing dictionary attacks. And that is where (and thus for whom) fail2ban shines. DNS issue though is a bit closer to the reality of admins, and they better be experienced, and if they are not, such DoS would be the gentle lesson... may be I should advocate it as an educational tool then

but point is taken -- I might add some warning (thought about it myself as well)

#2 Yaroslav Halchenko (Homepage) on 2010-05-27 13:44 (Reply)

yes i agree on that though in the case of dns providing a filter for udp really doesn't make sense

not saying fail2ban sucks, i'm using it as well for some special purposes

#2.1 nion on 2010-05-27 14:53 (Reply)

Add Comment

Name
Email
Homepage
In reply to
Comment	Enclosing asterisks marks text as bold (word), underscore are made via _word_. Standard emoticons like :-) and ;-) are converted to images. You can use [geshi lang=lang_name [,ln={y\|n}]][/geshi] tags to embed source code snippets. E-Mail addresses will not be displayed and will only be used for E-Mail notifications To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above: You can use [geshi lang=lang_name [,ln={y\|n}]][/geshi] tags to embed source code snippets.
	Remember Information?