Securing the Pi-hole with fail2ban to prevent DNS Amplification attacks
1. Install fail2ban
sudo apt-get update ; sudo apt-get install fail2ban
2. create jail file
vi /etc/fail2ban/jail.d/pihole-dns.conf
[pihole-dns]
enabled = true
port = 53
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
logpath = /var/log/pihole.log
findtime = 60
maxretry = 5
bantime = 3600
3. create filter file
vi /etc/fail2ban/filter.d/pihole-dns.conf
# Fail2Ban configuration file
#
# script from www.marek.tokyo
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = dnsmasq
# log example from /var/log/pihole.log
#Feb 26 04:41:28 dnsmasq[1887]: query[A] 21cl93vlx5n9p.aikoaiko.net from 67.21.36.3
#(?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
failregex = .*query\[A\].*from <HOST>
.*query\[ANY\].*from <HOST>
ignoreregex =
4. test if regex works
fail2ban-regex /var/log/pihole.log /etc/fail2ban/filter.d/pihole-dns.conf
you should have results like this:
Running tests
=============
Use failregex filter file : pihole-dns, basedir: /etc/fail2ban
Use log file : /var/log/pihole.log
Use encoding : UTF-8
Results
=======
Failregex: 4127 total
|- #) [# of hits] regular expression
| 1) [4125] .*query\[A\].*from <HOST>
| 2) [2] .*query\[ANY\].*from <HOST>
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [15674] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
`-
Lines: 15674 lines, 0 ignored, 4127 matched, 11547 missed
[processed in 1.25 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 11547 lines
Got hits (
in red) so regex works !
5. add your`s IP to ignore list to prevent being blocked
use your local IP or global if Pi-hole is open access/relay installed on cloud VPS etc.
vi /etc/fail2ban/jail.conf
[DEFAULT]
#
# MISCELLANEOUS OPTIONS
#
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8,
192.168.0.1/24
6. restart fail2ban service
7. to check if fail2ban works
fail2ban-client status pihole-dns
Status for the jail: pihole-dns
|- Filter
| |- Currently failed: 1
| |- Total failed: 75
| `- File list: /var/log/pihole.log
`- Actions
|- Currently banned: 2
|- Total banned: 2
`- Banned IP list: 172.93.106.230 67.21.36.3
8. (optional for Centos 7)
You can check ipset list directly
ipset list fail2ban-pihole-dns-udp
Name: fail2ban-pihole-dns-udp
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 timeout 600
Size in memory: 312
References: 1
Number of entries: 2
Members:
67.21.36.3 timeout 558
172.93.106.230 timeout 558
based on
this