Revision history for DNSBlockList
Revision [3671]
Last edited on 2016-05-30 22:49:36 by CalumMcAlinden [Replaces old-style internal links with new pipe-split links.]Additions:
[[AutoBlockSH | autoblock]] v20060120
[[AutoBlockRules | autoblock.rules]]
[[AutoBlockCleanup | cleanup]] v20060120
[[AutoBlockRules | autoblock.rules]]
[[AutoBlockCleanup | cleanup]] v20060120
Deletions:
[[AutoBlockRules autoblock.rules]]
[[AutoBlockCleanup cleanup]] v20060120
Revision [3366]
Edited on 2014-08-24 06:55:51 by CalumMcAlinden [Replaces old-style internal links with new pipe-split links.]Additions:
This page will be focusing on a server which is running ""Bind9"". If you are not using autoconf for that purpose, you can ignore those sections below.
* match = String match, use | to separate multiple matches
Match defines the strings we look for on each line of /var/log/filter. In this case, we will require matching two strings (separated by the | pipe). It looks for "sshd", then it looks for ": Failed password for". If both strings are found, the rule will be processed.
There is one addition parameter - domain. This is a special-case rule created for DNS abuse which looks for the same information being requested simultaneously from multiple IP's. For example, when multiple spambots are instructed to begin a spam-run, they will all be using the same list of email addresses to send to. The result of this is that our filter log will show several IP addresses requesting the same non-existent domain name at nearly the same time. The domain parameter has two parts, separated by a pipe, which encloses the domain name being requested. For example:
* match = String match, use | to separate multiple matches
Match defines the strings we look for on each line of /var/log/filter. In this case, we will require matching two strings (separated by the | pipe). It looks for "sshd", then it looks for ": Failed password for". If both strings are found, the rule will be processed.
There is one addition parameter - domain. This is a special-case rule created for DNS abuse which looks for the same information being requested simultaneously from multiple IP's. For example, when multiple spambots are instructed to begin a spam-run, they will all be using the same list of email addresses to send to. The result of this is that our filter log will show several IP addresses requesting the same non-existent domain name at nearly the same time. The domain parameter has two parts, separated by a pipe, which encloses the domain name being requested. For example:
Deletions:
* match = String match, use | to seperate multiple matches
Match defines the strings we look for on each line of /var/log/filter. In this case, we will require matching two strings (seperated by the | pipe). It looks for "sshd", then it looks for ": Failed password for". If both strings are found, the rule will be processed.
There is one addition parameter - domain. This is a special-case rule created for DNS abuse which looks for the same information being requested simultaneously from multiple IP's. For example, when multiple spambots are instructed to begin a spam-run, they will all be using the same list of email addresses to send to. The result of this is that our filter log will show several IP addresses requesting the same non-existant domain name at nearly the same time. The domain parameter has two parts, seperated by a pipe, which encloses the domain name being requested. For example:
Additions:
CategoryDNSBlockList
Additions:
[[AutoBlockSH autoblock]] v20060120
[[AutoBlockRules autoblock.rules]]
[[AutoBlockCleanup cleanup]] v20060120
[[AutoBlockRules autoblock.rules]]
[[AutoBlockCleanup cleanup]] v20060120
Deletions:
autoblock.rules
cleanup v20060120
