[Security Loophole] DNS Blocking Applies to UDP Only
Posted: Sun Nov 19, 2017 12:07 am
Fail2ban-DNS chain in vesta blocks port 53 UDP only. Since domains can be resolved using TCP, any rules that fail2ban add will not really stop an attacker from continuously resolving over TCP.
This can be fixed by adding a second rule to the fail2ban chain in Vesta configuration to block 53 TCP as well.
This new chain rule should be added in /usr/local/vesta/data/firewall/chains.conf IN addition to the existing UDP rule.
Please include this in next update.
This can be fixed by adding a second rule to the fail2ban chain in Vesta configuration to block 53 TCP as well.
Code: Select all
CHAIN='DNS' PORT='53' PROTOCOL='TCP'Please include this in next update.