Denied zone transfer not detected by periodic

johnblue

johnblue

I notice in /var/log/messages that there were some zone transfer attempts:
Code: 
Oct 12 08:39:52  named[1027]: client 91.222.136.77#33551: zone transfer 'p.com/AXFR/IN' denied
Oct 12 12:02:53  named[1027]: client 91.222.136.14#36152: zone transfer 'y.com/AXFR/IN' denied
Oct 12 13:02:06  named[1027]: client 91.222.136.14#39311: zone transfer 'c.com/AXFR/IN' denied
Oct 13 10:49:46  named[1027]: client 89.209.83.238#56423: zone transfer 'g.com/AXFR/IN' denied
Oct 13 14:42:25  named[1027]: client 89.209.83.238#54068: zone transfer 's.com/AXFR/IN' denied
Oct 13 20:14:38  named[1027]: client 91.222.136.77#55465: zone transfer 's.com/AXFR/IN' denied
Oct 13 23:52:30  named[1027]: client 91.222.136.77#56195: zone transfer 'e.com/AXFR/IN' denied

Oddly enough, periodic completely missed them:
Code: 
Local system status:
 3:01AM  up 30 days,  4:55, 1 user, load averages: 0.00, 0.00, 0.00

Mail in local queue:
/var/spool/mqueue is empty
		Total requests: 0

Mail in submit queue:
/var/spool/clientmqueue is empty
		Total requests: 0

Security check:
    (output mailed separately)

Checking for rejected mail hosts:

Checking for denied zone transfers (AXFR and IXFR):

-- End of daily output --

If anyone has some thoughts on were to look, that would be helpful meanwhile .. back to google.

:D

Thanks.

-- as an aside I thought, "awww. How cute, someone is trying to get a zone." :P
 
Looking at the script /etc/periodic/daily/470.status-named it seems it's looking for a different string. Are you using the base version of named or from ports? Different versions may report things a little different.
 
SirDice said:
Are you using the base version of named or from ports?
Click to expand...
Base version. This particular box is at 9.1-RELEASE-p7.

What did you see that stood out? This line seems to be kind of a catch all:
Code: 
fgrep -E "^$start.*named\[[[:digit:]]+\]: transfer of .*failed .*: REFUSED" |
 
There's no string in your logs that says "transfer of .... failed", yours says "zone transfer .... denied".
 
You must log in or register to reply here.
Back
Top