Securing the Pi-hole with fail2ban to prevent DNS Amplification attacks

Securing the Pi-hole with fail2ban to prevent DNS Amplification attacks

 

1. Install fail2ban 

sudo apt-get update ; sudo apt-get install fail2ban

2. create jail file

vi /etc/fail2ban/jail.d/pihole-dns.conf

[pihole-dns]
enabled = true
port     = 53
action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
logpath = /var/log/pihole.log
findtime = 60
maxretry = 5
bantime = 3600

 

3. create filter file

vi /etc/fail2ban/filter.d/pihole-dns.conf

# Fail2Ban configuration file
#
# script from www.marek.tokyo
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


[Definition]

_daemon = dnsmasq

# log example from /var/log/pihole.log
#Feb 26 04:41:28 dnsmasq[1887]: query[A] 21cl93vlx5n9p.aikoaiko.net from 67.21.36.3
#(?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?



failregex =  .*query\[A\].*from <HOST>
                   .*query\[ANY\].*from <HOST>

ignoreregex =

4. test if regex works

fail2ban-regex /var/log/pihole.log /etc/fail2ban/filter.d/pihole-dns.conf


you should have results like this:








Running tests
=============

Use   failregex filter file : pihole-dns, basedir: /etc/fail2ban
Use   log file : /var/log/pihole.log
Use   encoding : UTF-8


Results
=======

Failregex: 4127 total
|-  #) [# of hits] regular expression
|   1) [4125] .*query\[A\].*from <HOST>
|   2) [2] .*query\[ANY\].*from <HOST>
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [15674] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
`-

Lines: 15674 lines, 0 ignored, 4127 matched, 11547 missed
[processed in 1.25 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 11547 lines




Got hits (in red) so regex works !

5. add your`s IP to ignore list to prevent being blocked

use your local IP or global if Pi-hole is open access/relay installed on cloud VPS etc.

 vi /etc/fail2ban/jail.conf

[DEFAULT]

#
# MISCELLANEOUS OPTIONS
#

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8, 192.168.0.1/24

 

6. restart fail2ban service

 

7. to check if fail2ban works 

fail2ban-client status pihole-dns

Status for the jail: pihole-dns
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     75
|  `- File list:        /var/log/pihole.log
`- Actions
   |- Currently banned: 2
   |- Total banned:     2
   `- Banned IP list:   172.93.106.230 67.21.36.3

 8. (optional for Centos 7)

You can check ipset list directly

ipset list fail2ban-pihole-dns-udp



Name: fail2ban-pihole-dns-udp
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 timeout 600
Size in memory: 312
References: 1
Number of entries: 2
Members:
67.21.36.3 timeout 558
172.93.106.230 timeout 558

 

based on this