Welcome to Our Community

While Linux.org has been around for a while, we recently changed management and had to purge most of the content (including users). If you signed up before April 23rd, 2017 please sign up again. Thanks!

  1. Note: we recently updated out site software, please report any unseen issues - we do this often to insure your information is secure.
    Dismiss Notice

Is advisable block based on tcpdump Refused output?

Discussion in 'Linux Security' started by postcd, Dec 29, 2017.

  1. postcd

    postcd New Member

    Joined:
    Jul 8, 2017
    Messages:
    17
    Likes Received:
    1
    Hello,



    the DNS server can log denied DNS queries and i can use fail2ban or configserver firewall to ban IPs with excessive denied log entries, but my CentOS 6 log file (/var/log/messages) is 2GB for last around 72 hours thanks to denied queries. It is not attack. So i thought if i can disable logging of these DNS denied queries and instead monitor tcpdump output for refused queries and ban IPs with too many refused. What do you think? Is that actually possible and wise?

    tcpdump -nn -vv net myserverip and port 53|grep Refused
    Is there any already made solution that filter tcpdump output for blocking?
     

Share This Page