What can these IPs be so insistent, DDOS attack? (client @0x7.. query (cache) 'sl/ANY/IN' denied)

Discussion in 'Linux Beginners' started by Milly, May 4, 2021.

  1. Milly

    Milly Member

    Sorry for consulting but I do not know what these lines are, they have been shown for two months. I have not made any changes, these messages only started to show, I have looked for information but I am not really sure what they are.
    I would like to know if here I can see what these connections mean, they are all denied and apparently they do not affect, but they are very insistent:

    Code:
    May  3 20:47:16 mail named[19670]: client @0x7fb66c0569c0 24.193.48.159#53 (sl): query (cache) 'sl/ANY/IN' denied
    May  3 20:47:16 mail named[19670]: client @0x7fb66c0789c0 24.193.48.159#53 (sl): query (cache) 'sl/ANY/IN' denied
    May  3 20:47:16 mail named[19670]: client @0x7fb66c0789c0 24.193.48.159#53 (sl): query (cache) 'sl/ANY/IN' denied
    May  3 20:47:51 mail named[19670]: client @0x7fb66c0789c0 24.193.48.159#53 (sl): query (cache) 'sl/ANY/IN' denied
    May  3 20:47:51 mail named[19670]: client @0x7fb66c0789c0 24.193.48.159#53 (sl): query (cache) 'sl/ANY/IN' denied
    May  3 20:47:51 mail named[19670]: client @0x7fb66c0789c0 24.193.48.159#53 (sl): query (cache) 'sl/ANY/IN' denied
    May  3 20:48:10 mail named[19670]: client @0x7fb66c0789c0 98.237.163.219#80 (sl): query (cache) 'sl/ANY/IN' denied
    May  3 20:48:10 mail named[19670]: client @0x7fb66c0789c0 98.237.163.219#80 (sl): query (cache) 'sl/ANY/IN' denied
    May  3 20:48:10 mail named[19670]: client @0x7fb66c0789c0 98.237.163.219#80 (sl): query (cache) 'sl/ANY/IN' denied
    May  3 20:48:42 mail named[19670]: client @0x7fb66c0789c0 24.193.48.159#53 (sl): query (cache) 'sl/ANY/IN' denied
    May  3 20:48:42 mail named[19670]: client @0x7fb66c0789c0 24.193.48.159#53 (sl): query (cache) 'sl/ANY/IN' denied
    May  3 20:48:42 mail named[19670]: client @0x7fb66c0789c0 24.193.48.159#53 (sl): query (cache) 'sl/ANY/IN' denied
    
    And I would like to see if it is necessary and good practice to add these IPs to fail2ban?
    How could I add a new filter (/etc/fail2ban/filter.d) and add it to the jail (/etc/fail2ban/jail.local jail.local)


    Thank you
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    It could be someone trying to use your server to ddos someone; ensure your bind is up to date and has response rate limiting enabled (which i think is the default now, but verify that).
     
    ahrasis and Milly like this.
  3. Milly

    Milly Member

    Thank you very much Jesse, I will look for information on what I should do to fix it correctly and not make an error.
     

Share This Page