#30 Failures with unknown IP addresses

open
Cyril Jaquier
None
5
2007-04-01
2007-03-31
vanchuck
No

My server has been getting attacked for two days now from someone who appears to be connecting from a certain hostname, but that hostname has no IP address:

---- /var/log/syslog:
Mar 31 10:28:40 services pure-ftpd: (?@customer2-16-172.iplannetworks.net) [WARNING] Authentication failed for user [calvin]

---- /var/log/fail2ban.log:
2007-03-31 10:29:03,577 fail2ban.filter : WARNING Unable to find a corresponding IP address for customer2-16-172.iplannetworks.net

---- netstat | grep customer2
tcp 13 0 ###.###.###.156:ftp customer2-16-172.:52294 ESTABLISHED
tcp 13 0 ###.###.###.158:ftp customer2-16-172.:52005 ESTABLISHED

---- ping customer2-16-172.iplannetworks.net
ping: unknown host customer2-16-172.iplannetworks.net

The problem, however, is that fail2ban gets confused by this. Not only can it not ban the person, but after EVERY failed attempt, it tries to ban the person but fails, creating millions of error messages in the fail2ban logs, and working hard enough that an otherwise idle server would have system load increased by >0.5 (not a big deal, but it might be if there were 4+ such attackers at one time)

The only way I've found to get around this is to find out what actual ip address is trying to connect via:

---- netstat -n | grep :21
tcp 11 0 ###.###.###.156:21 190.2.16.172:60231 ESTABLISHED
tcp 11 0 ###.###.###.158:21 190.2.16.172:60777 ESTABLISHED

So now I know their real IP address, and to hack fail2ban into working, I can then manually replace the unknown hostname by this ip address in the log file (or manually add an iptables rule myself, if I were brave enough)

I know this is an issue with my system logging the hostname instead of the ip address, but given that fail2ban tends to hammer the server with IP lookups, log processing, and spitting out unreasonable numbers of errors into the logfiles, I'm wondering if there could be some way to mitigate these effects in a future release.

Thanks for the great product though!

Discussion

  • Cyril Jaquier
    Cyril Jaquier
    2007-04-01

    Logged In: YES
    user_id=933467
    Originator: NO

    Thank you. I will look at this.

     
  • Cyril Jaquier
    Cyril Jaquier
    2007-04-01

    • assigned_to: nobody --> lostcontrol