diff options
author | Yaroslav Halchenko <debian@onerussian.com> | 2010-06-29 01:38:05 +0000 |
---|---|---|
committer | Yaroslav Halchenko <debian@onerussian.com> | 2010-06-29 01:38:05 +0000 |
commit | 180a98db853325619ad161544315103f52faba68 (patch) | |
tree | 32125546215ebd44e4c5b6628afaa4fb4aa9dbd9 | |
parent | 24d8e29ace2f136dae67e8a05c63065daea3e347 (diff) | |
download | fail2ban-0.x.tar.gz |
disabling entirely named-refused-udp jail with a big fat warning0.x
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@762 a942ae1a-1317-0410-a47c-b1dcaea8d605
-rw-r--r-- | config/jail.conf | 24 |
1 files changed, 16 insertions, 8 deletions
diff --git a/config/jail.conf b/config/jail.conf index 75c53b76..7501e2f5 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -212,14 +212,22 @@ ignoreip = 168.192.0.1 # in your named.conf to provide proper logging. # This jail blocks UDP traffic for DNS requests. -[named-refused-udp] - -enabled = false -filter = named-refused -action = iptables-multiport[name=Named, port="domain,953", protocol=udp] - sendmail-whois[name=Named, dest=you@mail.com] -logpath = /var/log/named/security.log -ignoreip = 168.192.0.1 +# !!! WARNING !!! +# Since UDP is connectionless protocol, spoofing of IP and immitation +# of illegal actions is way too simple. Thus enabling of this filter +# might provide an easy way for implementing a DoS against a chosen +# victim. See +# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html +# Please DO NOT USE this jail unless you know what you are doing. +# +# [named-refused-udp] +# +# enabled = false +# filter = named-refused +# action = iptables-multiport[name=Named, port="domain,953", protocol=udp] +# sendmail-whois[name=Named, dest=you@mail.com] +# logpath = /var/log/named/security.log +# ignoreip = 168.192.0.1 # This jail blocks TCP traffic for DNS requests. |