Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 3rd June 2009, 19:37
BorderAmigos BorderAmigos is offline
Senior Member
 
Join Date: Apr 2008
Location: San Diego & Tijuana
Posts: 302
Thanks: 26
Thanked 33 Times in 31 Posts
Send a message via MSN to BorderAmigos Send a message via Yahoo to BorderAmigos
Default ISPConfig3 Fail2Ban issue...

This morning my fail2ban log shows the following 80 times in a period of 3 seconds...

2009-06-03 07:50:07,700 fail2ban.filter : WARNING Unable to find a corresponding IP address for host156-192-110-95.serverdedicati.aruba.it

Yesterday I showed 80 lines from the same source over a period of 17 minutes. Also 125 lines from the following over a period of 5 seconds.

2009-06-02 08:03:36,528 fail2ban.filter : WARNING Unable to find a corresponding IP address for c906091a.spo.static.virtua.com.br

Yesterday I tracked the error to repeated attempts to hack into pure-ftp via a dictionary type brute force method. I disabled pure-ftpd-mysql then as I'm not using ftp.

I do show in the logs that fail2ban is banning other attackers in the expected way.

But apparently someone is able to hide their ip in a way that fail2ban can't ban them. Anyone know a way to fix this?
__________________
System6Hosting.com, ISPConfig 3, Debian.
Reply With Quote
Sponsored Links
  #2  
Old 4th June 2009, 18:31
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,752 Times in 2,582 Posts
Default

The problem is that these hostnames have no reverse records. You can check that with
Code:
dig -x host156-192-110-95.serverdedicati.aruba.it
and
Code:
dig -x c906091a.spo.static.virtua.com.br
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 4th June 2009, 18:43
BorderAmigos BorderAmigos is offline
Senior Member
 
Join Date: Apr 2008
Location: San Diego & Tijuana
Posts: 302
Thanks: 26
Thanked 33 Times in 31 Posts
Send a message via MSN to BorderAmigos Send a message via Yahoo to BorderAmigos
Default

I understand that. So by not having reverse records fail2ban can't ban them because it can't find the ip address?
__________________
System6Hosting.com, ISPConfig 3, Debian.
Reply With Quote
  #4  
Old 5th June 2009, 14:47
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,752 Times in 2,582 Posts
Default

I'm not sure if it can't ban them...
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 26th October 2009, 06:57
Buzzen Buzzen is offline
Member
 
Join Date: Mar 2007
Posts: 31
Thanks: 4
Thanked 0 Times in 0 Posts
Default

So are these messages in fail2ban someting we should be ignoring?

WARNING Unable to find a corresponding IP address for domain.tld
__________________
Debian Lenny Perfect Install - ISPConfig 3.0.1.6
******************************
Dell Poweredge 1950
2 x 3.73Ghz DualCore Xeon 2x2MB
16GB DDR2 667 ECC REG
2 x 2TB (raid 1)
Reply With Quote
  #6  
Old 26th October 2009, 18:51
giftsnake giftsnake is offline
Senior Member
 
Join Date: Jan 2009
Posts: 108
Thanks: 15
Thanked 9 Times in 8 Posts
Default

depending on which service you filter in the fail2ban.filter, you can configure that service to log the IPs instead of the hostname -> works for me for pureftp
Reply With Quote
  #7  
Old 26th October 2009, 19:47
Buzzen Buzzen is offline
Member
 
Join Date: Mar 2007
Posts: 31
Thanks: 4
Thanked 0 Times in 0 Posts
Default

It almost all cases it does log the IP, but there are a few exceptions when I get that error with PureFTP.
__________________
Debian Lenny Perfect Install - ISPConfig 3.0.1.6
******************************
Dell Poweredge 1950
2 x 3.73Ghz DualCore Xeon 2x2MB
16GB DDR2 667 ECC REG
2 x 2TB (raid 1)

Last edited by Buzzen; 26th October 2009 at 19:51.
Reply With Quote
  #8  
Old 26th October 2009, 21:15
giftsnake giftsnake is offline
Senior Member
 
Join Date: Jan 2009
Posts: 108
Thanks: 15
Thanked 9 Times in 8 Posts
Default

which services does your fail2ban monitor?
Reply With Quote
  #9  
Old 26th October 2009, 21:38
Buzzen Buzzen is offline
Member
 
Join Date: Mar 2007
Posts: 31
Thanks: 4
Thanked 0 Times in 0 Posts
Default

SSH and PureFTP
__________________
Debian Lenny Perfect Install - ISPConfig 3.0.1.6
******************************
Dell Poweredge 1950
2 x 3.73Ghz DualCore Xeon 2x2MB
16GB DDR2 667 ECC REG
2 x 2TB (raid 1)
Reply With Quote
  #10  
Old 27th October 2009, 00:22
giftsnake giftsnake is offline
Senior Member
 
Join Date: Jan 2009
Posts: 108
Thanks: 15
Thanked 9 Times in 8 Posts
 
Default

what i did on my machine (Debian Lenny):
Quote:
echo "yes" > /etc/pure-ftpd/conf/DontResolve
/etc/init.d/pure-ftpd-mysql restart
(to setup pureftp to log IPs instead of hostnames)
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Questions about ISPConfig3 vs. ISPConfig2 atjensen11 General 1 15th March 2009 00:59
fail2ban not working linuxwannabe Installation/Configuration 1 25th January 2009 07:09
Fail2Ban not banning? tristanlee85 Server Operation 4 15th October 2008 14:44
ISPconfig3, email validation issue Justin Albstmeijer Installation/Configuration 2 5th July 2008 01:26
Fail2ban question joelee HOWTO-Related Questions 1 3rd April 2008 21:16


All times are GMT +2. The time now is 01:08.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.