PDA

View Full Version : ISPConfig3 Fail2Ban issue...


BorderAmigos
3rd June 2009, 19:37
This morning my fail2ban log shows the following 80 times in a period of 3 seconds...

2009-06-03 07:50:07,700 fail2ban.filter : WARNING Unable to find a corresponding IP address for host156-192-110-95.serverdedicati.aruba.it

Yesterday I showed 80 lines from the same source over a period of 17 minutes. Also 125 lines from the following over a period of 5 seconds.

2009-06-02 08:03:36,528 fail2ban.filter : WARNING Unable to find a corresponding IP address for c906091a.spo.static.virtua.com.br

Yesterday I tracked the error to repeated attempts to hack into pure-ftp via a dictionary type brute force method. I disabled pure-ftpd-mysql then as I'm not using ftp.

I do show in the logs that fail2ban is banning other attackers in the expected way.

But apparently someone is able to hide their ip in a way that fail2ban can't ban them. Anyone know a way to fix this?

falko
4th June 2009, 18:31
The problem is that these hostnames have no reverse records. You can check that with
dig -x host156-192-110-95.serverdedicati.aruba.it
and
dig -x c906091a.spo.static.virtua.com.br

BorderAmigos
4th June 2009, 18:43
I understand that. So by not having reverse records fail2ban can't ban them because it can't find the ip address?

falko
5th June 2009, 14:47
I'm not sure if it can't ban them...

Buzzen
26th October 2009, 06:57
So are these messages in fail2ban someting we should be ignoring?

WARNING Unable to find a corresponding IP address for domain.tld

giftsnake
26th October 2009, 18:51
depending on which service you filter in the fail2ban.filter, you can configure that service to log the IPs instead of the hostname -> works for me for pureftp

Buzzen
26th October 2009, 19:47
It almost all cases it does log the IP, but there are a few exceptions when I get that error with PureFTP.

giftsnake
26th October 2009, 21:15
which services does your fail2ban monitor?

Buzzen
26th October 2009, 21:38
SSH and PureFTP

giftsnake
27th October 2009, 00:22
what i did on my machine (Debian Lenny):
echo "yes" > /etc/pure-ftpd/conf/DontResolve
/etc/init.d/pure-ftpd-mysql restart

(to setup pureftp to log IPs instead of hostnames)

Buzzen
27th October 2009, 00:36
did that last week.

giftsnake
27th October 2009, 01:21
restart pureftp?

Buzzen
27th October 2009, 01:32
yeh, thankfully it doesnt happen much so its not a big deal. Was more just curious about it.