Securing the Pi-hole with fail2ban to prevent DNS Amplification attacks
Securing the Pi-hole with fail2ban to prevent DNS Amplification attacks
1. Install fail2ban
sudo apt-get update ; sudo apt-get install fail2ban2. create jail file
vi /etc/fail2ban/jail.d/pihole-dns.conf
[pihole-dns]
enabled = true
port = 53
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
logpath = /var/log/pihole.log
findtime = 60
maxretry = 5
bantime = 3600
3. create filter file
vi /etc/fail2ban/filter.d/pihole-dns.conf
# Fail2Ban configuration file
#
# script from www.marek.tokyo
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = dnsmasq
# log example from /var/log/pihole.log
#Feb 26 04:41:28 dnsmasq[1887]: query[A] 21cl93vlx5n9p.aikoaiko.net from 67.21.36.3
#(?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
failregex = .*query\[A\].*from <HOST>
.*query\[ANY\].*from <HOST>
ignoreregex =
4. test if regex works
fail2ban-regex /var/log/pihole.log /etc/fail2ban/filter.d/pihole-dns.conf
you should have results like this:
Running tests
=============
Use failregex filter file : pihole-dns, basedir: /etc/fail2ban
Use log file : /var/log/pihole.log
Use encoding : UTF-8
Results
=======
Failregex: 4127 total
|- #) [# of hits] regular expression
| 1) [4125] .*query\[A\].*from <HOST>
| 2) [2] .*query\[ANY\].*from <HOST>
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [15674] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
`-
Lines: 15674 lines, 0 ignored, 4127 matched, 11547 missed
[processed in 1.25 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 11547 lines
Got hits (in red) so regex works !
5. add your`s IP to ignore list to prevent being blocked
use your local IP or global if Pi-hole is open access/relay installed on cloud VPS etc.vi /etc/fail2ban/jail.conf
[DEFAULT]
#
# MISCELLANEOUS OPTIONS
#
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8, 192.168.0.1/24
6. restart fail2ban service
7. to check if fail2ban works
fail2ban-client status pihole-dnsStatus for the jail: pihole-dns
|- Filter
| |- Currently failed: 1
| |- Total failed: 75
| `- File list: /var/log/pihole.log
`- Actions
|- Currently banned: 2
|- Total banned: 2
`- Banned IP list: 172.93.106.230 67.21.36.3
8. (optional for Centos 7)
You can check ipset list directlyipset list fail2ban-pihole-dns-udp
Name: fail2ban-pihole-dns-udp
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 timeout 600
Size in memory: 312
References: 1
Number of entries: 2
Members:
67.21.36.3 timeout 558
172.93.106.230 timeout 558
Thanks for the guide! Very useful!
ReplyDeleteIve set up a pihole that I can access on my mobile externally, the problem is this fail2ban config just bans any outside connection instantaneously.
ReplyDeleteIs that its purpose rather then banning amplification attacks?
You can always add ignoreip in failban.conf and add network of your mobile provider.
Deletethank you!
ReplyDelete7F2DB
ReplyDeleteokex
mobil 4g proxy
mexc
btcturk
bitcoin nasıl kazanılır
binance 100 dolar
bitcoin hesabı nasıl açılır
binance referans
bybit
53682
ReplyDeletecanlı sohbet
filtre kağıdı
ilk kripto borsası
bybit
bybit
probit
btcturk
telegram kripto para
kaldıraç nasıl yapılır
5DAB6
ReplyDeletecanlı sohbet odaları
kripto para haram mı
mexc
July 2024 Calendar
ilk kripto borsası
2024 Calendar
okex
October 2024 Calendar
kucoin
1249F
ReplyDeleteİscehisar
Midyat
Bornova
Araç
Serdivan
Çardak
Altınekin
Osmaneli
Aksu
10871
ReplyDeletecoin kazanma
Mobil Uygulamalar
btc forum
yabancı dizi önerileri
adwords hesap satışı
google 5 yıldız
Tiktok Hesap Satın Al
Sosyal Medya Ajansı
Proxy Satın Al
55074
ReplyDelete4G Mobil Proxy
seo nedir
home office iş ilanları
Offshore Hosting
Amazon SEO
Tiktok Para Kazanma
logo tasarım
Google Reklam Verme
ipv4 Proxy
BE933
ReplyDeleteSEO Eğitimi
Instagram Hesap Satın Al
Youtube Beğeni Satın Al
Google SEO
MMORPG Oyunlar
freelance iş ilanları
Airdrop Coin Kazanma
Google Yorum Satın Al
Tiktok Reklam Verme
99F5E
ReplyDeleteAmazon SEO
kitap önerileri
Mobil Proxy
Netflix Dizi Önerileri
Hosting Satın Al
Dedicated Server
Kurumsal Hosting
Instagram Beğeni Satın Al
Knight Online Sunucu Kiralama
437B9
ReplyDeletemetin2 pvp serverler
Wordpress Adsense Reklam Yerleşimi
Silkroad Pvp Serverler
Facebook Hesap Satın Al
google yorum satın al
iş ilanları
Boştaki Domainler
Etsy SEO
Script Satışı
9B434
ReplyDeleteReef Coin Yorum
Grt Coin Yorum
Egld Coin Yorum
Zec Coin Yorum
Bitcoin Forum
Floki Coin Yorum
BTC Son Dakika Haberleri
Sand Coin Yorum
Cudos Coin Yorum
A158B
ReplyDeleteücretli güvenilir show
A39EE
ReplyDeletewhatsapp görüntülü show güvenilir