Say you keep loads of domain indicators in file lists for Bro to consume. If some user hits a bad domain, bro alerts. But you want to auto block the domain. That’s where RPZ could come into play.
The domains are all in INDICATOR_DOM flat files like:
cat ALINAPOS_DOM
adobeflasherup1.com
javaoracle2.ru
pula.su
shiningdiscoball.cc
I want to maintain a single place for indicators. Piece of cake.
Just cron this script on your bind RPZ server.
#!/bin/sh
cd /var/tmp
rm -f *_DOM
scp bro:/feeds/*_DOM .
rm -f /var/named/chroot/var/named/rpz.zone
DATE=`date –date=”today” +%Y-%m-%d`
SERIAL=`date +%Y%m%d`
DATE=`date –date=”today” +%Y-%m-%d`
SERIAL=`date +%Y%m%d`
echo “$TTL 900 ;15 minutes” > /var/named/chroot/var/named/rpz.zone
echo “@ IN SOA servername.example.com. root.servername.example.com. (” >> /var/named/chroot/var/named/rpz.zone
echo “ ${SERIAL}01 ; serial” >> /var/named/chroot/var/named/rpz.zone
echo “ 900 ; refresh (15 minutes)” >> /var/named/chroot/var/named/rpz.zone
echo “ 300 ; retry (5 minutes)” >> /var/named/chroot/var/named/rpz.zone
echo “ 86400 ; expire (1 day)” >> /var/named/chroot/var/named/rpz.zone
echo “ 600 ; minimum (10 minutes)” >> /var/named/chroot/var/named/rpz.zone
echo “)” >> /var/named/chroot/var/named/rpz.zone
echo “ NS servername.example.com.” >> /var/named/chroot/var/named/rpz.zone
echo “ NS servername.example.com.” >> /var/named/chroot/var/named/rpz.zone
echo “” >> /var/named/chroot/var/named/rpz.zone
for domain in `cat *_DOM`
do
echo “$domain CNAME walledgarden.example.com.”
echo “*.$domain CNAME walledgarden.example.com.”
done >> /var/named/chroot/var/named/rpz.zone
chown root:named /var/named/chroot/var/named/rpz.zone
chmod 640 /var/named/chroot/var/named/rpz.zone
systemctl restart named-chroot.service
0 Comments