This morning my fail2ban log shows the following 80 times in a period of 3 seconds... 2009-06-03 07:50:07,700 fail2ban.filter : WARNING Unable to find a corresponding IP address for host156-192-110-95.serverdedicati.aruba.it Yesterday I showed 80 lines from the same source over a period of 17 minutes. Also 125 lines from the following over a period of 5 seconds. 2009-06-02 08:03:36,528 fail2ban.filter : WARNING Unable to find a corresponding IP address for c906091a.spo.static.virtua.com.br Yesterday I tracked the error to repeated attempts to hack into pure-ftp via a dictionary type brute force method. I disabled pure-ftpd-mysql then as I'm not using ftp. I do show in the logs that fail2ban is banning other attackers in the expected way. But apparently someone is able to hide their ip in a way that fail2ban can't ban them. Anyone know a way to fix this?
The problem is that these hostnames have no reverse records. You can check that with Code: dig -x host156-192-110-95.serverdedicati.aruba.it and Code: dig -x c906091a.spo.static.virtua.com.br
I understand that. So by not having reverse records fail2ban can't ban them because it can't find the ip address?
So are these messages in fail2ban someting we should be ignoring? WARNING Unable to find a corresponding IP address for domain.tld
depending on which service you filter in the fail2ban.filter, you can configure that service to log the IPs instead of the hostname -> works for me for pureftp
It almost all cases it does log the IP, but there are a few exceptions when I get that error with PureFTP.
