Hostnames or IP Addresses

From Fail2ban
Revision as of 12:43, 10 January 2012 by Yakatz (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

This article contains background on the issue and a list of fixes.

The Issue

Many services are set up to log hostnames instead of IP addresses. The workflow goes something like this:

  • Attacker controls, which maps back to the name
  • An attacker changes the PTR for to be
  • Attacker attacks a server from, but the server does a name lookup and logs, instead of
  • can not longer access the server

The solution is to set all services not to do reverse DNS lookups and instead to log IP addresses only.

Fail2Ban Changes

To prevent Denial of Service attacks like this one, fail2ban can now be configured to ignore all hostnames in log files and optionally to warn the administrator that there are hostnames being logged.

yes   (current behavior)
warn  (uses but warns upon each dns lookup)
no    (no DNS lookup, no warnings, INFO-LEVEL log messages when
        rDNS was necessary and entry was ignored because of that)


Feel free to post documentation for additional services, but please keep the list orderly.