summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorYaroslav Halchenko <debian@onerussian.com>2010-06-29 01:38:05 +0000
committerYaroslav Halchenko <debian@onerussian.com>2010-06-29 01:38:05 +0000
commit180a98db853325619ad161544315103f52faba68 (patch)
tree32125546215ebd44e4c5b6628afaa4fb4aa9dbd9
parent24d8e29ace2f136dae67e8a05c63065daea3e347 (diff)
downloadfail2ban-0.x.tar.gz
disabling entirely named-refused-udp jail with a big fat warning0.x
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@762 a942ae1a-1317-0410-a47c-b1dcaea8d605
Diffstat
-rw-r--r--config/jail.conf24
1 files changed, 16 insertions, 8 deletions
diff --git a/config/jail.conf b/config/jail.conf
index 75c53b76..7501e2f5 100644
--- a/config/jail.conf
+++ b/config/jail.conf
@@ -212,14 +212,22 @@ ignoreip = 168.192.0.1
# in your named.conf to provide proper logging.
# This jail blocks UDP traffic for DNS requests.
-[named-refused-udp]
-
-enabled = false
-filter = named-refused
-action = iptables-multiport[name=Named, port="domain,953", protocol=udp]
- sendmail-whois[name=Named, dest=you@mail.com]
-logpath = /var/log/named/security.log
-ignoreip = 168.192.0.1
+# !!! WARNING !!!
+# Since UDP is connectionless protocol, spoofing of IP and immitation
+# of illegal actions is way too simple. Thus enabling of this filter
+# might provide an easy way for implementing a DoS against a chosen
+# victim. See
+# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
+# Please DO NOT USE this jail unless you know what you are doing.
+#
+# [named-refused-udp]
+#
+# enabled = false
+# filter = named-refused
+# action = iptables-multiport[name=Named, port="domain,953", protocol=udp]
+# sendmail-whois[name=Named, dest=you@mail.com]
+# logpath = /var/log/named/security.log
+# ignoreip = 168.192.0.1
# This jail blocks TCP traffic for DNS requests.
View Lorry Controller Status