Univention Bugzilla – Attachment 6606 Details for
Bug 37553
bind9 configures as open resolver - DDoS
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Add ACL list to prevent Open DNS Resolver
37553-Add-ACL-list-to-prevent-Open-DNS-Resolver.patch (text/plain), 10.69 KB, created by
Philipp Hahn
on 2015-01-15 14:31 CET
(
hide
)
Description:
Add ACL list to prevent Open DNS Resolver
Filename:
MIME Type:
Creator:
Philipp Hahn
Created:
2015-01-15 14:31 CET
Size:
10.69 KB
patch
obsolete
>From f68c140d43666100be56db1aebb46be720dac2ab Mon Sep 17 00:00:00 2001 >Message-Id: <f68c140d43666100be56db1aebb46be720dac2ab.1421328509.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Thu, 15 Jan 2015 14:26:58 +0100 >Subject: [PATCH] Bug #37553: Add ACL list to prevent Open DNS Resolver >Organization: Univention GmbH, Bremen, Germany > >Add listener to track networks. >--- > .../ucs-4.0-0/services/univention-bind/bind-acl.py | 94 ++++++++++++++++++++++ > .../conffiles/etc/bind/named.conf.proxy | 15 ++-- > .../conffiles/etc/bind/named.conf.samba4 | 16 ++-- > .../services/univention-bind/debian/changelog | 6 ++ > .../univention-bind/debian/univention-bind.dirs | 5 -- > .../univention-bind/debian/univention-bind.install | 1 + > .../debian/univention-bind.postinst | 11 +-- > 7 files changed, 126 insertions(+), 22 deletions(-) > create mode 100755 branches/ucs-4.0/ucs-4.0-0/services/univention-bind/bind-acl.py > >diff --git a/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/bind-acl.py b/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/bind-acl.py >new file mode 100755 >index 0000000..7f0799d >--- /dev/null >+++ b/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/bind-acl.py >@@ -0,0 +1,94 @@ >+#!/usr/bin/python2.7 >+# -*- coding: utf-8 -*- >+""" >+Univention BIND listener script >+""" >+# Copyright 2015 Univention GmbH >+# >+# http://www.univention.de/ >+# >+# All rights reserved. >+# >+# The source code of this program is made available >+# under the terms of the GNU Affero General Public License version 3 >+# (GNU AGPL V3) as published by the Free Software Foundation. >+# >+# Binary versions of this program provided by Univention to you as >+# well as other copyrighted, protected or trademarked materials like >+# Logos, graphics, fonts, specific documentations and configurations, >+# cryptographic keys etc. are subject to a license agreement between >+# you and Univention and not subject to the GNU AGPL V3. >+# >+# In the case you use this program under the terms of the GNU AGPL V3, >+# the program is provided in the hope that it will be useful, >+# but WITHOUT ANY WARRANTY; without even the implied warranty of >+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+# GNU Affero General Public License for more details. >+# >+# You should have received a copy of the GNU Affero General Public >+# License with the Debian GNU/Linux or Univention distribution in file >+# /usr/share/common-licenses/AGPL-3; if not, see >+# <http://www.gnu.org/licenses/>. >+ >+__package__ = '' # workaround for PEP 366 >+import ldap >+import listener >+import ipaddr >+import subprocess >+ >+name = 'bind-acl' >+description = 'Update BIND ACLs' >+filter = '(objectClass=univentionNetworkClass)' >+attributes = ['univentionNetmask', 'univentionNetwork'] >+ >+ACL_CONF_FILE = "/var/lib/bind/network-acls.conf" >+RNDC_BIN = "/usr/sbin/rndc" >+ >+conf = { >+ 'ldapserver': None, >+ 'ldapport': 7389, >+ 'basedn': None, >+ 'binddn': None, >+ 'bindpw': None, >+} >+ >+ >+def setdata(key, value): >+ conf[key] = value >+ >+ >+def handler(dn, new, old): >+ ldap_uri = "ldap://%(ldapserver)s:%(ldapport)d" % conf >+ ldap_con = ldap.initialize(ldap_uri) >+ ldap_con.bind_s(conf['binddn'], conf['bindpw']) >+ networks = set() >+ for dn, values in ldap_con.search_s(conf['basedn'], ldap.SCOPE_SUBTREE, filter, attributes): >+ network = ipaddr.IPNetwork('%s/%s' % ( >+ values['univentionNetwork'][0], >+ values['univentionNetmask'][0], >+ )) >+ networks.add(network.masked()) >+ >+ listener.setuid(0) >+ try: >+ with open(ACL_CONF_FILE, 'w') as acl: >+ print >> acl, '# THIS FILE IS GENERATED BY bind-acl.py' >+ print >> acl, 'acl ucs_networks {' >+ print >> acl, '\tlocalhost;' >+ for network in networks: >+ print >> acl, '\t%s;' % (network,) >+ print >> acl, '};' >+ subprocess.call(('rndc', '-p', '953', 'reconfig')) >+ finally: >+ listener.unsetuid() >+ >+ >+if __name__ == '__main__': >+ from univention.config_registry import ConfigRegistry >+ ucr = ConfigRegistry() >+ ucr.load() >+ setdata('ldapserver', ucr['ldap/server/name']) >+ setdata('basedn', ucr['ldap/base']) >+ setdata('binddn', ucr['ldap/hostdn']) >+ setdata('bindpw', open('/etc/machine.secret', 'r').read()) >+ handler('', None, None) >diff --git a/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/conffiles/etc/bind/named.conf.proxy b/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/conffiles/etc/bind/named.conf.proxy >index 45e443a..d3063f1 100644 >--- a/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/conffiles/etc/bind/named.conf.proxy >+++ b/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/conffiles/etc/bind/named.conf.proxy >@@ -1,15 +1,19 @@ > @%@UCRWARNING=# @%@ > > >-controls{ >+controls { > inet 127.0.0.1 > allow { @%@dns/master/address@%@; }; >-}; >+}; >+ >+include "/var/lib/bind/network-acls.conf"; >+ > options { >- directory "/var/cache/bind"; >+ directory "/var/cache/bind"; > @!@ >-dns_allow_query = configRegistry.get('dns/allow/query') >-dns_allow_query_cache = configRegistry.get('dns/allow/query/cache') >+NETWORK_ACL = 'ucs_networks' >+dns_allow_query = configRegistry.get('dns/allow/query', NETWORK_ACL) >+dns_allow_query_cache = configRegistry.get('dns/allow/query/cache', NETWORK_ACL) > dns_allow_transfer = configRegistry.get('dns/allow/transfer') > > if dns_allow_query: >@@ -25,6 +29,7 @@ if configRegistry.is_true('dns/ipv6', True ): > val = 'any' > print '\tlisten-on-v6 { %s; };' % val > @!@}; >+ > logging { > category lame-servers { null; }; > category default{ default_syslog; }; >diff --git a/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/conffiles/etc/bind/named.conf.samba4 b/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/conffiles/etc/bind/named.conf.samba4 >index 1aa5641..90a1bb5 100644 >--- a/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/conffiles/etc/bind/named.conf.samba4 >+++ b/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/conffiles/etc/bind/named.conf.samba4 >@@ -1,14 +1,18 @@ > @%@UCRWARNING=# @%@ > >-controls{ >+controls { > inet 127.0.0.1 > allow { @%@dns/master/address@%@; }; >-}; >+}; >+ >+include "/var/lib/bind/network-acls.conf"; >+ > options { >- tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; >+ tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > @!@ >-dns_allow_query = configRegistry.get('dns/allow/query') >-dns_allow_query_cache = configRegistry.get('dns/allow/query/cache') >+NETWORK_ACL = 'ucs_networks' >+dns_allow_query = configRegistry.get('dns/allow/query', NETWORK_ACL) >+dns_allow_query_cache = configRegistry.get('dns/allow/query/cache', NETWORK_ACL) > dns_allow_transfer = configRegistry.get('dns/allow/transfer') > > if dns_allow_query: >@@ -32,7 +36,6 @@ logging { > }; > }; > >- > @!@ > if configRegistry.get('dns/forwarder1') or configRegistry.get('dns/forwarder2') or configRegistry.get('dns/forwarder3'): > print '\n# Found a forwarder in ucr variables, using forwarder in zone ".".' >@@ -100,4 +103,3 @@ print '''dlz "samba4.zone" { > @!@ > > include "/etc/bind/local.conf.samba4"; >- >diff --git a/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/debian/changelog b/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/debian/changelog >index f850417..cf16baa 100644 >--- a/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/debian/changelog >+++ b/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/debian/changelog >@@ -1,3 +1,9 @@ >+univention-bind (9.0.5-1) unstable; urgency=low >+ >+ * Bug #37553: Add ACL list to prevent Open DNS Resolver >+ >+ -- Philipp Hahn <hahn@univention.de> Thu, 15 Jan 2015 14:22:30 +0100 >+ > univention-bind (9.0.4-1) unstable; urgency=low > > * If no dns/forwarder is set, use the nameserver variables as forwarder >diff --git a/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/debian/univention-bind.dirs b/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/debian/univention-bind.dirs >index 854e100..20178c7 100644 >--- a/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/debian/univention-bind.dirs >+++ b/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/debian/univention-bind.dirs >@@ -1,9 +1,4 @@ >-usr/lib/univention-directory-listener/system >-usr/lib/univention-install/ >-etc/bind > etc/runit/univention-bind > etc/runit/univention-bind-proxy > etc/runit/univention-bind-samba4 >-etc/init.d >-usr/share/univention-bind/ > var/cache/univention-bind-proxy >diff --git a/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/debian/univention-bind.install b/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/debian/univention-bind.install >index dc15c58..b3ac07b 100644 >--- a/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/debian/univention-bind.install >+++ b/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/debian/univention-bind.install >@@ -1,4 +1,5 @@ > bind.py usr/lib/univention-directory-listener/system >+bind-acl.py usr/lib/univention-directory-listener/system/ > 05univention-bind.inst usr/lib/univention-install > etc/bind/db.root.fake etc/bind > 90univention-bind-post.inst usr/lib/univention-install >diff --git a/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/debian/univention-bind.postinst b/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/debian/univention-bind.postinst >index 7382a14..d935650 100644 >--- a/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/debian/univention-bind.postinst >+++ b/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/debian/univention-bind.postinst >@@ -32,17 +32,17 @@ > > . /usr/share/univention-lib/all.sh > >+touch /var/lib/bind/network-acls.conf >+ > #DEBHELPER# > > # configure firewall > ucr set security/packetfilter/package/univention-bind/udp/53/all=ACCEPT \ > security/packetfilter/package/univention-bind/tcp/53/all=ACCEPT \ >- security/packetfilter/package/univention-bind/udp/7777/all=ACCEPT \ >- security/packetfilter/package/univention-bind/tcp/7777/all=ACCEPT \ > security/packetfilter/package/univention-bind/udp/53/all/en="DNS proxy" \ > security/packetfilter/package/univention-bind/tcp/53/all/en="DNS proxy" \ >- security/packetfilter/package/univention-bind/udp/7777/all/en="DNS server" \ >- security/packetfilter/package/univention-bind/tcp/7777/all/en="DNS server" >+ security/packetfilter/package/univention-bind/udp/7777/all/en="Backend DNS server" \ >+ security/packetfilter/package/univention-bind/tcp/7777/all/en="Backend DNS server" > [ -x "/etc/init.d/univention-firewall" ] && invoke-rc.d univention-firewall restart > > chmod g+w /etc/bind >@@ -51,7 +51,8 @@ chmod g+w /etc/bind/* > univention-config-registry set 'bind/autostart?yes' \ > 'dns/ipv6?yes' \ > 'nameserver/external?false' \ >- 'dns/allow/query?any' \ >+ 'dns/allow/query?ucs_networks' \ >+ 'dns/allow/query/cache?ucs_networks' \ > 'dns/allow/transfer?any' \ > 'dns/dlz/debug/level?0' \ > 'dns/debug/level?0' >-- >1.9.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=6606">View the attachment on a separate page</a>.</b>
Actions:
View
|
Diff
Attachments on
bug 37553
: 6606