ISPConfig3 Fail2Ban issue...

Discussion in 'General' started by BorderAmigos, Jun 3, 2009.

  1. BorderAmigos

    BorderAmigos New Member

    This morning my fail2ban log shows the following 80 times in a period of 3 seconds...

    2009-06-03 07:50:07,700 fail2ban.filter : WARNING Unable to find a corresponding IP address for host156-192-110-95.serverdedicati.aruba.it

    Yesterday I showed 80 lines from the same source over a period of 17 minutes. Also 125 lines from the following over a period of 5 seconds.

    2009-06-02 08:03:36,528 fail2ban.filter : WARNING Unable to find a corresponding IP address for c906091a.spo.static.virtua.com.br

    Yesterday I tracked the error to repeated attempts to hack into pure-ftp via a dictionary type brute force method. I disabled pure-ftpd-mysql then as I'm not using ftp.

    I do show in the logs that fail2ban is banning other attackers in the expected way.

    But apparently someone is able to hide their ip in a way that fail2ban can't ban them. Anyone know a way to fix this?
     
  2. falko

    falko Super Moderator

    The problem is that these hostnames have no reverse records. You can check that with
    Code:
    dig -x host156-192-110-95.serverdedicati.aruba.it
    and
    Code:
    dig -x c906091a.spo.static.virtua.com.br
     
  3. BorderAmigos

    BorderAmigos New Member

    I understand that. So by not having reverse records fail2ban can't ban them because it can't find the ip address?
     
  4. falko

    falko Super Moderator

    I'm not sure if it can't ban them...
     
  5. Buzzen

    Buzzen New Member

    So are these messages in fail2ban someting we should be ignoring?

    WARNING Unable to find a corresponding IP address for domain.tld
     
  6. giftsnake

    giftsnake New Member

    depending on which service you filter in the fail2ban.filter, you can configure that service to log the IPs instead of the hostname -> works for me for pureftp
     
  7. Buzzen

    Buzzen New Member

    It almost all cases it does log the IP, but there are a few exceptions when I get that error with PureFTP.
     
    Last edited: Oct 26, 2009
  8. giftsnake

    giftsnake New Member

    which services does your fail2ban monitor?
     
  9. Buzzen

    Buzzen New Member

    SSH and PureFTP
     
  10. giftsnake

    giftsnake New Member

    what i did on my machine (Debian Lenny):
    (to setup pureftp to log IPs instead of hostnames)
     
  11. Buzzen

    Buzzen New Member

    did that last week.
     
  12. giftsnake

    giftsnake New Member

    restart pureftp?
     
  13. Buzzen

    Buzzen New Member

    yeh, thankfully it doesnt happen much so its not a big deal. Was more just curious about it.
     

Share This Page