We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
[Security Loophole] DNS Blocking Applies to UDP Only
[Security Loophole] DNS Blocking Applies to UDP Only
Fail2ban-DNS chain in vesta blocks port 53 UDP only. Since domains can be resolved using TCP, any rules that fail2ban add will not really stop an attacker from continuously resolving over TCP.
This can be fixed by adding a second rule to the fail2ban chain in Vesta configuration to block 53 TCP as well.
This new chain rule should be added in /usr/local/vesta/data/firewall/chains.conf IN addition to the existing UDP rule.
Please include this in next update.
This can be fixed by adding a second rule to the fail2ban chain in Vesta configuration to block 53 TCP as well.
Code: Select all
CHAIN='DNS' PORT='53' PROTOCOL='TCP'
Please include this in next update.