13

My fail2ban log at /var/log/fail2ban.log is completely filled with entries saying:

fail2ban.filter : WARNING Determined IP using DNS Lookup: [IP address]

I think this may have begun after I changed my ssh port...

Any idea what the cause of this is and how to stop it?

Dirk Calloway
  • 262

4 Answers4

10

Had the same issue.

Simple solution: add the following line at the top of your /etc/fail2ban/jail.conf file, in the [DEFAULT] section

usedns = no

To understand why your log file is being filled with warnings, consult the following page in the Fail2Ban wiki. It's basically to prevent people manipulating PTR record of their attack IPs to inject false values in your logs.

k0nsl
  • 45
qux
  • 371
2

Check the PTR record of the [IP address] and compare the resolved name with the original IP address, i.e. 

drill -x ip_address or dig -x ip_address or host ip_address

Then compare the result with:

drill result or dig result or host result

It should be the same. If it is not - the attacker changed the PTR. You may modify usedns directive to "no" or "warn" in jail.conf.

chicks
  • 3,915
  • 10
  • 29
  • 37
plluksie
  • 478
0

In my case the warning was:

WARNING Determined IP using DNS Lookup: localhost = ['127.0.0.1', '127.0.0.1', '::1']

This appeared every 10s. Setting usedns=no was no option as I wanted to get the root cause - after all somewhere in my logs this "localhost" appeared. After trying a bunch of logs I took the "brute force" way:

find /var/log -type f -name '*.log' | xargs grep localhost -l

which gave me all the log files containing that "localhost" (which were only two, one of them the fail2ban.log itself).

It turned out that the "mysql/error.log" was the one. I dropped a database without stopping the service (omg...) which lead to (every 10s):

2021-01-20T05:31:17.784116Z 2680 [Note] Access denied for user 'myserviceaccount'@'localhost' (using password: YES).

In the end - no need to stop the warnings (just stop the service ;-) ).

Gerd
  • 101
0

Check that your filter regular expression don't match you own host, for example, in log:

your-host.com:443 123.22.33.44 - - [01/Mar/2025:00:00:00 +0000] "GET /your-endpoint HTTP/1.1" 200 78413 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.2020.127 Safari/537.36"

the <HOST> in RegExp ^.*<HOST>.*$ matches to your-host.com instead of 123.22.33.44 as you expect.

GHosT
  • 101