[SOLVED] Denied DNS cache queries originating from

from here

i had thi situation:

[SOLVED] Denied DNS cache queries originating from


recently Virtualmin complained that I needed to add to the BIND Zones.
Since then I’ve started seeing the following entries in my /var/named/data/named.run:

13-Jan-2016 14:20:12.442 client query (cache) 'w3.org/NS/IN' denied
13-Jan-2016 14:20:12.442 client query (cache) 'comcast.net/NS/IN' denied
13-Jan-2016 14:20:12.443 client query (cache) 'akamai.com/NS/IN' denied
13-Jan-2016 14:21:03.839 client query (cache) 'cingular.com/NS/IN' denied
13-Jan-2016 14:21:03.839 client query (cache) 'kernel.org/NS/IN' denied
13-Jan-2016 14:21:03.840 client query (cache) 'gmx.net/NS/IN' denied
13-Jan-2016 19:55:38.304 client query (cache) 'sun.com/NS/IN' denied
13-Jan-2016 19:55:38.305 client query (cache) 'w3.org/NS/IN' denied
13-Jan-2016 19:55:38.307 client query (cache) 'mit.edu/NS/IN' denied

I already have the named-refused-udp and named-refused-tcp fail2ban jails activated, so I’m not worried about any such entries which originate from an external ip address.

What concerns me is those originating from
Have I been hacked?


i patch like this

I’ll answer my own question to help anyone else looking. To stop these entries add the following to /etc/named.conf

allow-query-cache { none; };
recursion no;
additional-from-auth no;
additional-from-cache no;
minimal-responses yes;

in this way:

options {

                listen-on port 53 { any; };

                listen-on-v6 port 53 { any; };

                directory       “/var/named”;

                dump-file       “/var/named/data/cache_dump.db”;

                statistics-file “/var/named/data/named_stats.txt”;

                memstatistics-file “/var/named/data/named_mem_stats.txt”;

                allow-query     { any; };

                allow-recursion {“none”;};

                recursion no;

                version “Not disclosed”;

                allow-query-cache { none; };

                additional-from-auth no;

                additional-from-cache no;

                minimal-responses yes;


Fail2ban Status commands

fail2ban-client status postfix

Show status of all fail2ban jails at once
create the file fail2ban-allstatus.sh
JAILS=`fail2ban-client status | grep Jail list | sed -E s/^[^:]+:[ \t]+// | sed s/,//g`
for JAIL in $JAILS
fail2ban-client status $JAIL

or with a command

fail2ban-client status|awk -F: ‘/Jail list:/ { split($2,jail,”,”) ; for (i in jail) { gsub(/[\t ]/,””,jail[i]); system(“fail2ban-client status “jail[i]); }; }’

grep -srni “journalmatch” /etc/fail2ban/filter.d/


Unban ip Failban

Step 1: Find IP Address to Unblock

Log in to your server via SSH and type in the following command:

iptables -L -n

Look for the IP address you want to unblock / unban.

Step 2: Get Jail Name of fail2ban Blocked IP Address

Now we must find the jail name this IP address is in. To do so, type the following to find the jail list settings:

fail2ban-client status

Step 3: Unban IP Address from fail2ban

For this example, we will remove an IP address jailed within ssh. To do so, type in the following:

fail2ban-client set <jail-name> unbanip

The IP address should now be unbanned from fail2ban.

fail2ban-client set apache-auth unbanip
fail2ban-client set apache-badbots unbanip
fail2ban-client set apache-botsearch unbanip
fail2ban-client set apache-modsecurity unbanip
fail2ban-client set apache-nohome unbanip
fail2ban-client set apache-overflows unbanip
fail2ban-client set apache-shellshock unbanip
fail2ban-client set courier-auth unbanip
fail2ban-client set courier-smtp unbanip
fail2ban-client set cyrus-imap unbanip
fail2ban-client set dovecot unbanip
fail2ban-client set dropbear unbanip
fail2ban-client set drupal-auth unbanip
fail2ban-client set ispconfig unbanip
fail2ban-client set php-url-fopen unbanip
fail2ban-client set postfix unbanip
fail2ban-client set postfix-rbl unbanip
fail2ban-client set postfix-sasl unbanip
fail2ban-client set pure-ftpd unbanip
fail2ban-client set recidive unbanip
fail2ban-client set roundcube-auth unbanip
fail2ban-client set selinux-ssh unbanip
fail2ban-client set sendmail-auth unbanip
fail2ban-client set sendmail-reject unbanip
fail2ban-client set sshd unbanip
fail2ban-client set sshd-ddos unbanip
fail2ban-client set wordpress unbanip

Fail2ban Error in file postfix-sasl.conf

my old file conf was :
failregex = ^%(__prefix_line)swarning: [-._\w]+\[\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$

If you go to https://regex101.com/ you can test the regular expression on the log string :

May 10 15:57:59 mail postfix/smtpd[28617]: warning: ip43.ip-192-99-125.net[]: SASL LOGIN authentication failed: Connection lost to authentication server

I corrected the error and the the configuration is :

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+:]*={0,2})?\s*$

You can leave also the first setting but it is not necessary.

Some others command to do test:

fail2ban-client ping
fail2ban-client status
fail2ban-client status dovecot
fail2ban-client status postfix-sasl

fail2ban-regex /root/software/test_fail2ban_dovecot.log /etc/fail2ban/filter.d/dovecot.conf

You can test a piece of log file with a configuration jail file using the command fail2ban-regex

1a -> no need to change rotation, read about the settings: bantime, findtime, maxretry
1b -> fail2ban reads the log which is defined in jails logpath, for the recidive jail /var/log/fail2ban.log will be used
2 -> yes it means recidve will ban ip based on the log entrys matching bantime, findtime, maxretry
3. -> such long block time should not be needed, if it is an repeating offender he will by chached up by the recidive jail
4. it depends on your system and resources, if you are worry about the amount of blocked ip´s then you can set up the jails with ipset,

read also:
Using Fail2ban to Secure Your Server – A Tutorial
Optimising your Fail2Ban filters | The Art of Web
Protection Against Brute Force Attacks (Fail2Ban)
Fail2Ban Jails Management

fail2ban-client set <jail> unbanip <ip>

Fail2ban and wordpress

Find the wordpress log file.

normally is configured in httpd.conf (if u are using apache web server)
Find the wordpress log file.
normally is configured in httpd.conf (if u are using apache web server)

    # The following directives define some format nicknames for use with
    # a CustomLog directive (see below).

    #LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    LogFormat "%h %v %l %u %t \"%r\" %>s %b" comonvhost

      # You need to enable mod_logio.c to use %I and %O
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio

    # The location and format of the access logfile (Common Logfile Format).
    # If you do not define any access logfiles within a 
    # container, they will be logged here.  Contrariwise, if you *do*
    # define per- access logfiles, transactions will be
    # logged therein and *not* in this file.
    #CustomLog "logs/access_log" common
    # If you prefer a logfile with access, agent, and referer information
    # (Combined Logfile Format) you can use the following directive.
    CustomLog "logs/access_log" combined

here the log file parameters

My server example of failed login to wordpress

%v       %h                     %l %u %t                     \"%r\"                        %>s
saic.it - -       [30/Sep/2017:09:29:02 +0200] "POST /wp-login.php HTTP/1.1" 200 
%b   \"%{Referer}i\"                   \"%{User-Agent}i\""
5444 "http://www.saic.it/wp-login.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0"