Stopping ddos

[Ed Daniel]

On 02/08/2022 22:04, Saleck wrote:
> Dne úterý 2. srpna 2022 22:02:58 CEST, Robert Moskowitz napsal(a):
>> Recently I have been having problems with my server not responding to my
>> requests.  I thought it was all sorts of issues, but I finally looked at
>> the logs and:
>>
>> Aug  2 15:47:19 onlo named[6155]: client @0xaa3cad80 114.29.194.4#11205
>> (.): view external: query (cache) './A/IN' denied
>> Aug  2 15:47:19 onlo named[6155]: client @0xaa3cad80
>> 114.29.216.196#64956 (.): view external: query (cache) './A/IN' denied
>> Aug  2 15:47:19 onlo named[6155]: client @0xaa3cad80 64.68.114.141#39466
>> (.): view external: query (cache) './A/IN' denied
>> Aug  2 15:47:19 onlo named[6155]: client @0xaa3cad80
>> 209.197.198.45#13280 (.): view external: query (cache) './A/IN' denied
>> Aug  2 15:47:19 onlo named[6155]: client @0xaa3cad80
>> 114.29.202.117#41955 (.): view external: query (cache) './A/IN' denied
>> Aug  2 15:47:19 onlo named[6155]: client @0xaa3cad80 62.109.204.22#4406
>> (.): view external: query (cache) './A/IN' denied
>> Aug  2 15:47:49 onlo named[6155]: client @0xa9420720 64.68.104.9#38518
>> (.): view external: query (cache) './A/IN' denied
>> Aug  2 15:47:50 onlo named[6155]: client @0xaa882dc8 114.29.202.117#9584
>> (.): view external: query (cache) './A/IN' denied
>>
>> grep -c denied messages
>> 45868
>>
>> And that is just since Jul 31 3am.
>>
>> This is fairly recent so I never looked into what I might do to protect
>> against this.  I am the master for my domain, so I do need to allow for
>> legitimate queries.
>>
>> Any best practices on this?
>>
>> I am running bind 9.11.4
>>
>> thanks
> 
> You could think about adding fail2ban to your server with some custom rules.
> Helped us in a similar situation.
> 
> Kind regards,
> David
> 
> 

I'm also a longtime and happy Fail2Ban user, more infos here:
https://www.linode.com/docs/guides/using-fail2ban-to-secure-your-server-a-tutorial/
https://ixnfo.com/en/configuring-fail2ban-for-bind9.html

HTH,
Ed.