Hostnames or IP Addresses
This article contains background on the issue and a list of fixes. You can skip to the fixes using the table of contents.
Many services are set up to log hostnames instead of IP addresses. The workflow goes something like this:
- Attacker controls 192.0.2.2, which maps back to the name attack.example.com
- An attacker changes the PTR for 192.0.2.2 to be search.example.org
- Attacker attacks a server from 192.0.2.2, but the server does a name lookup and logs search.example.org, instead of attack.example.com
- search.example.org can not longer access the server
The solution is to set all services not to do reverse DNS lookups and instead to log IP addresses only.
To prevent Denial of Service attacks like this one, fail2ban can now be configured to ignore all hostnames in log files and optionally to warn the administrator that there are hostnames being logged.
use_dns yes (current behavior) warn (uses but warns upon each dns lookup) no (no DNS lookup, no warnings, INFO-LEVEL log messages when rDNS was necessary and entry was ignored because of that)
Feel free to post documentation for additional services, but please keep the list orderly.