From: j d. <jd...@ga...> - 2010-10-25 16:14:06
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It appears that fail2ban's whois is not properly querying arin.net. All results for queries are like this: ==BEGIN== [Querying whois.arin.net] [whois.arin.net] # # Query terms are ambiguous. The query is assumed to be: # "n 173.49.24.x" # # Use "?" to get help. # # # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=173.49.24.x?showDetails=true&showARIN=false # Verizon Online LLC VIS-BLOCK (NET-173-48-0-0-1) 173.48.0.0 - 173.63.255.255 # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html # ===END=== This is not very helpful. it requires additional manual effort to get the registry data. ARIN changed their whois service in July 2010 and different query methods are now required per ARIN's announcement earlier in the year. Though little useful info is returned it does not prevent blocking. == jd -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFMxax/hpL3F+HeDrIRAhXjAKCvxx2EG8I/upiLKtgeKrxwLhnFSQCeMywi DKleWHgBy4lTNgIQhepNeQ4= =G7GY -----END PGP SIGNATURE----- |
From: Tom H. <to...@wh...> - 2010-10-25 19:06:53
Attachments:
signature.asc
|
On 25/10/10 18:12, j debert wrote: > > It appears that fail2ban's whois is not properly querying arin.net. > All results for queries are like this: > Hi, fail2ban uses your system whois binary, there is no builtin client. However, when I try with lastest whois from http://www.linux.it/~md/software/ (which should be the default whois in several distros), I receive no more info about the ip range you used for your example. -- Regards, Tom |
From: Tom H. <to...@wh...> - 2010-10-25 19:28:13
Attachments:
signature.asc
|
On 25/10/10 21:06, Tom Hendrikx wrote: > On 25/10/10 18:12, j debert wrote: >> >> It appears that fail2ban's whois is not properly querying arin.net. >> All results for queries are like this: >> > > Hi, > > fail2ban uses your system whois binary, there is no builtin client. > However, when I try with lastest whois from > http://www.linux.it/~md/software/ (which should be the default whois in > several distros), I receive no more info about the ip range you used for > your example. > > I got some extra examples from my mail archive; these look fine to me: 173.63.45.35 206.123.101.97 208.109.95.107 But I also have some with output looking exactly like yours. The issue does not seem to be with the whois or ARINs new query interface, but with the data... -- Regards, Tom |
From: j d. <jd...@ga...> - 2010-11-09 22:44:19
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/25/2010 12:06 PM, Tom Hendrikx wrote: > On 25/10/10 18:12, j debert wrote: >> >> It appears that fail2ban's whois is not properly querying arin.net. >> All results for queries are like this: >> > > Hi, > > fail2ban uses your system whois binary, there is no builtin client. > However, when I try with lastest whois from > http://www.linux.it/~md/software/ (which should be the default whois in > several distros), I receive no more info about the ip range you used for > your example. > I should have said that fail2ban is not using whois to query whois.arin.net the way arin expects. whois.arin.net expects to see some flags in the query and if there are none, will not return consistent results. Using the + flag in the query provided the detailed information that was lacking in the example query as well as all the other queries that resulted in short returns. Arin's announcement of the change is here: http://lists.arin.net/pipermail/arin-announce/2010-July/001044.html A description of the differences between the old and new whois service is here: https://www.arin.net/resources/whoisrws/whois_diff.html jd -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFM2cYUhpL3F+HeDrIRAh4kAKCXypt7l7CHH5bAomAheRWdYASV7wCfeksY by2dHWULku4+G9KcYdoKlyM= =FIve -----END PGP SIGNATURE----- |