Hostnames or IP Addresses

From Fail2ban
Jump to: navigation, search

This article contains background on the issue and a list of fixes.

The Issue

Many services are set up to log hostnames instead of IP addresses. The workflow goes something like this:

  • Attacker controls 192.0.2.2, which maps back to the name attack.example.com
  • An attacker changes the PTR for 192.0.2.2 to be search.example.org
  • Attacker attacks a server from 192.0.2.2, but the server does a name lookup and logs search.example.org, instead of attack.example.com
  • search.example.org can not longer access the server

The solution is to set all services not to do reverse DNS lookups and instead to log IP addresses only.

Fail2Ban Changes

To prevent Denial of Service attacks like this one, fail2ban can now be configured to ignore all hostnames in log files and optionally to warn the administrator that there are hostnames being logged.

use_dns
yes   (current behavior)
warn  (uses but warns upon each dns lookup)
no    (no DNS lookup, no warnings, INFO-LEVEL log messages when
        rDNS was necessary and entry was ignored because of that)

Fixes

Feel free to post documentation for additional services, but please keep the list orderly.