The following guide assumes you have a working BIND server running on CentOS.
With this guide, we will complete the following task:
- Configure the Response Policy Zone
- Configure Logging
- Set up log rotation to the ThreatSTOP servers
- Validate configuration
Configure the Response Policy Zone
Add the following line in the options section of the /etc/named.conf file:
response-policy { zone "<RPZ-POLICY>.rpz.threatstop.local";};
add the following to the end of the /etc/named.conf file:
include "/etc/named.threatstop.conf";
Create the /etc/named.threatstop.conf file and paste the following into it:
[root@centos-bind ~]# vi /etc/named.threatstop.conf
//
// This is the location of the ThretSTOP service
// This will include the key to the zone file and
// the zone configuration itself
//
key <TSIG-KEY-NAME> {
algorithm hmac-md5;
secret "<TSIG-KEY>";
};
server 192.124.129.51 {
keys { <TSIG-KEY-NAME>; };
};
zone "<ZONE NAME>" {
type slave;
masters { 192.124.129.51 ; };
file "/var/named/slaves/<ZONE NAME>";
allow-query { any; };
allow-transfer { localhost; };
allow-notify { none; };
};
Add the following to the /etc/named.conf file
logging { channel normal-log { file "/var/named/data/named.log" versions 3 size 1m; severity info; }; category default { normal-log; }; channel named-rpz { file "/var/named/data/rpz.log"; severity debug; print-time yes; print-category yes; print-severity yes; }; category rpz { named-rpz; }; };
Set up log rotation to the ThreatSTOP servers
Create the following file making sure to change the fw_ip=<DEVICE-IP> variable accordingly
[root@centos-bind ~]# vi /etc/logrotate.d/threatstop
/var/named/data/rpz.log { rotate 7 size 100k missingok notifempty delaycompress compress su named named create 0644 named named postrotate /bin/systemctl restart named /usr/bin/curl -v -F "upfile=@$1.1" -F "upfile_size=`/usr/bin/stat -c %s $1.1`" -F "md5_client=`/usr/bin/md5sum $1.1|/usr/bin/cut -d' ' -f 1`" -F "fw_tdid=<td_id>" https://logs.threatstop.com/cgi-bin/logupload.pll endscript }
Create the cron file with the following content
[root@centos-bind ~]# vi /etc/cron.hourly/logrotate-ts
#!/bin/sh /usr/sbin/logrotate -f /etc/logrotate.d/threatstop
From the BIND server, run the following command:
[root@centos-bind ~]# dig bad.threatstop.com @localhost
You should receive the following result:
; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.3 <<>> bad.threatstop.com @localhost ;; global options: +cmd ;; Got answer: ;; ->>HEADER<rpz.threatstop.local. 7200 IN SOA ns1.rpz.threatstop.local. hostmaster.rpz.threatstop.local. 1497965332 7200 600 432000 7200 ;; Query time: 163 msec ;; SERVER: ::1#53(::1) ;; WHEN: Tue Jun 20 11:37:06 EDT 2017 ;; MSG SIZE rcvd: 133
Comments