Security Incidents mailing list archives
Re: Logging named version requests
From: Nicolas GREGOIRE <nicolas.gregoire () 7THZONE COM>
Date: Wed, 7 Feb 2001 09:26:58 +0100
"Osvaldo J. Filho" a écrit :
With all these bind bug buzzing, I did a (very) small patch to (sys)log que version request for the latest 8.x.x named (8.2.3-REL). It can be found at http://brsec.xnext.com.br/named-patch.tgz. I think this is really important to keep a eye on intruders looking for vulnerable servers on your network.
Another way to do that without having to recompile bind : 1/ a zone file : [root@mary zone]# more /var/named/zone/bind $ORIGIN bind. @ 1D CHAOS SOA localhost. root.localhost. ( 1 ; serial 3H ; refresh 1H ; retry 1W ; expiry 1D ) ; minimum CHAOS NS localhost. 2/ And in the named.conf file : zone "bind" chaos { allow-query {localhost; }; type master; file "zone/bind"; }; 3/ Now, the result in the syslog log file : Feb 6 15:41:40 mary named[4159]: denied query from [X.X.X.X].3207 for "version.bind" Enjoy, Nicob
Current thread:
- Logging named version requests Osvaldo J. Filho (Feb 06)
- Re: Logging named version requests Nicolas GREGOIRE (Feb 07)
- <Possible follow-ups>
- Re: Logging named version requests Luke Dudney (Feb 06)