Purchase Linux CDs / DVDs / Flash Drives at OSDisc.com

Welcome to Our Community

While Linux.org has been around for a while, we recently changed management and had to purge most of the content (including users). If you signed up before April 23rd, 2017 please sign up again. Thanks!

Is advisable block based on tcpdump Refused output?

Discussion in 'Linux Security' started by postcd, Dec 29, 2017.

  1. postcd

    postcd New Member

    Joined:
    Jul 8, 2017
    Messages:
    17
    Likes Received:
    1
    Hello,

    the DNS server can log denied DNS queries and i can use fail2ban or configserver firewall to ban IPs with excessive denied log entries, but my CentOS 6 log file (/var/log/messages) is 2GB for last around 72 hours thanks to denied queries. It is not attack. So i thought if i can disable logging of these DNS denied queries and instead monitor tcpdump output for refused queries and ban IPs with too many refused. What do you think? Is that actually possible and wise?

    tcpdump -nn -vv net myserverip and port 53|grep Refused
    Is there any already made solution that filter tcpdump output for blocking?


    (Log in to hide this advertisement)

     

Share This Page