#42 Whois timeout

open
nobody
None
5
2009-04-11
2009-04-11
Anonymous
No

When fail2ban whois an IP address, it is still awaiting a reply.

If there is no answer (timeout or bad ip), fail2ban is blocked and the system load rises indefinitely. In addition, fail2ban ceases to act on new attacks.

After some time, the server may crash (too many attack or load too high).

Hackers could use this issue to attack servers using an IP address that is not in the Whois database for example.

fail2ban should have a timeout (one minute) in case of no response from the whois.

Thank you.

Discussion

  • P Fudd

    P Fudd - 2010-06-08

    I've been bitten by this bug too; the whois command (jwhois 4.0, on fedora 12) sometimes hangs forever, and fail2ban hangs waiting for whois. This only occurs when action = sendmail-whois-lines, as the default is not to call whois.

    As a result, ssh attacks are not blocked until root types 'killall whois' or reboots.

     
  • Steven T. Snyder

    This occurs fairly often for me as well. If I see the fail2ban emails stop coming for a day, I can be very certain that whois is hanging and I need to log in and kill it.

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks