fail2ban filter.DNSUtils.dnsToIp() calls socket.gethostbyname_ex() to get the IP address(es) for a host name. It appears to do this for every matching log record without regard to whether it just looked up the same host.
If there is some DNS issue outside of fail2ban that slows DNS lookups and thus introduces delays into the processing of socket.gethostbyname_ex(), fail2ban can be slowed considerably resulting in significant delay before the IP is blocked.
The attached patch to server/filter.py adds a cache of the most recent 10 host names used in calls to DNSUtils.dnsToIp(), and returns a hit from the cache rather than doing a new socket.gethostbyname_ex() call.
Log in to post a comment.