Follow

Configure ThreatSTOP RPZ - CentOS BIND

The following guide assumes you have a working BIND server running on CentOS. 

With this guide, we will complete the following task:

  1. Configure the Response Policy Zone
  2. Configure Logging
  3. Set up log rotation to the ThreatSTOP servers
  4. Validate configuration

 

Configure the Response Policy Zone


Add the following line in the options section of the /etc/named.conf file:

 

response-policy { zone "<RPZ-POLICY>.rpz.threatstop.local";};

 

add the following to the end of the /etc/named.conf file:

 

include "/etc/named.threatstop.conf";

 

Create the /etc/named.threatstop.conf file and paste the following into it:

 

[root@centos-bind ~]# vi /etc/named.threatstop.conf

 

//
// This is the location of the ThretSTOP service
// This will include the key to the zone file and
// the zone configuration itself
//
key <TSIG-KEY-NAME> {
algorithm hmac-md5;
secret "<TSIG-KEY>";
};
server 192.124.129.51 {
keys { <TSIG-KEY-NAME>; };
};
zone "<ZONE NAME>" {
type slave;
masters { 192.124.129.51 ; };
file "/var/named/slaves/<ZONE NAME>";
allow-query { any; };
allow-transfer { localhost; };
allow-notify { none; };
};

 

Configure Logging 

Add the following to the /etc/named.conf file

logging { 
     channel normal-log { 
          file "/var/named/data/named.log" versions 3 size 1m; 
          severity info; 
     }; 
     category default { 
          normal-log; 
      }; 
     channel named-rpz { 
          file "/var/named/data/rpz.log"; 
          severity debug; 
          print-time yes; 
          print-category yes; 
          print-severity yes; 
     }; 
     category rpz { 
          named-rpz; 
     }; 
};

 

Set up log rotation to the ThreatSTOP servers

 

Create the following file making sure to change the fw_ip=<DEVICE-IP> variable accordingly

 

[root@centos-bind ~]# vi /etc/logrotate.d/threatstop

 

/var/named/data/rpz.log
{
    rotate 7
    size 100k
    missingok
    notifempty
    delaycompress
    compress
    su named named
    create 0644 named named
    postrotate
    /bin/systemctl restart named
    /usr/bin/curl -v -F "upfile=@$1.1" -F "upfile_size=`/usr/bin/stat -c %s $1.1`" -F "md5_client=`/usr/bin/md5sum $1.1|/usr/bin/cut -d' ' -f 1`" -F "fw_tdid=<td_id>" https://logs.threatstop.com/cgi-bin/logupload.pll 
    endscript
}

 

Create the cron file with the following content

 

[root@centos-bind ~]# vi /etc/cron.hourly/logrotate-ts

 

#!/bin/sh
/usr/sbin/logrotate -f /etc/logrotate.d/threatstop

 

Validate configuration

From the BIND server, run the following command:

 

[root@centos-bind ~]# dig bad.threatstop.com @localhost

 

You should receive the following result:

; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.3 <<>> bad.threatstop.com @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<rpz.threatstop.local. 7200 IN SOA ns1.rpz.threatstop.local. hostmaster.rpz.threatstop.local. 1497965332 7200 600 432000 7200

;; Query time: 163 msec
;; SERVER: ::1#53(::1)
;; WHEN: Tue Jun 20 11:37:06 EDT 2017
;; MSG SIZE  rcvd: 133
Was this article helpful?
0 out of 0 found this helpful

Comments