While I was updating some settings with my bind server on Ubuntu 20, I noticed a lot of queries for “pizzaseo.com”, which appears to be some kind of marketing company trying to scrape for data. On reading out in forums about it, apparently they’re looking for vulnerable pi-hole servers that are exposed to the internet.
For me, it just means many 1000s of useless queries in my DNS logs. Since I have to allow external queries because I have some clients on subnets that may change, I can’t stop them outright. But also, since I don’t allow recursion on external servers, there’s no real harm in them making the queries, other than it annoys me.
I decided to use fail2ban to accomplish this. I added a filter definition that looks for lines in /var/log/named/named-security.log
that are querying pizzaseo.com, and create a DROP rule in the firewall. Create a file named /etc/fail2ban/filters.d/pizzaseo.conf
and put the regular expressions needed to match the lines in the security log. I also noticed a lot of similar queries for “mygoodmonkey.com”, so I added a catch for that as well.
[INCLUDES]
before = common.conf
[Definition]
failregex = .* client @0x.* <HOST>#.*\(pizzaseo.com\): .* denied
.* client @0x.* <HOST>#.*\(mygoodmonkey.com\): .* denied
ignoreregex =
Next, you need to add a jail definition to /etc/fail2ban/jail.d/pizza
seo.conf
[named-pizzaseo]
enabled = true
filter = pizzaseo action = iptables[name=named, port=53, protocol=udp, blocktype=DROP] logpath = /var/log/named/named-security.log maxretry = 2 findtime = 60 bantime = 1800 ignoreip = 127.0.0.1/8 ::1
This will drop all queries for UDP connections of port 53 of a given host after 2 queries (maxretry) for a half hour. Adjust the values to suit your tastes.
If you want to test your regular expressions, the following command will tell you how many lines it matches (one line):
fail2ban-regex /var/log/named/named-security.log /etc/fail2ban/filter.d/pizzaseo.conf
And to check the firewall rules, you can run the command:
iptables -L f2b-named -n -v
How to block only IP address, f.e.> Oct 11 07:24:51 server named[1344]: client @0x7f46a41016a0 174.194.207.38#53 (sl): query (cache) ‘sl/ANY/IN’ denied