12

My fail2ban log at /var/log/fail2ban.log is completely filled with entries saying:

fail2ban.filter : WARNING Determined IP using DNS Lookup: [IP address]

I think this may have begun after I changed my ssh port...

Any idea what the cause of this is and how to stop it?

Dirk Calloway
  • 252
  • 1
  • 2
  • 9

3 Answers3

10

Had the same issue.

Simple solution: add the following line at the top of your /etc/fail2ban/jail.conf file, in the [DEFAULT] section

usedns = no

To understand why your log file is being filled with warnings, consult the following page in the Fail2Ban wiki. It's basically to prevent people manipulating PTR record of their attack IPs to inject false values in your logs.

k0nsl
  • 35
  • 4
qux
  • 361
  • 2
  • 7
  • 1
    Won't this open the possibility for attack if users make login attempts for hostname origins (since hostnames will just be ignored in this case)? Perhaps I've read the docs wrong, but it seems this could be a bad idea. – Quinn Comendant Jul 27 '15 at 18:45
  • 2
    Also, the documentation says, *The solution is to set all services not to do reverse DNS lookups and instead to log IP addresses only*. The warning given by fail2ban (*Determined IP using DNS Lookup*) indicates that some service is logging hostnames. The best solution is to determine which service that is, and disable DNS lookups for it. Setting `usedns = no` stops the warnings and will prevent blocking of spoofed PTR networks, but leaves the service that is logging hostnames completely unprotected by fail2ban. – Quinn Comendant Jul 28 '15 at 17:05
2

Check the PTR record of the [IP address] and compare the resolved name with the original IP address, i.e. 

drill -x ip_address or dig -x ip_address or host ip_address

Then compare the result with:

drill result or dig result or host result

It should be the same. If it is not - the attacker changed the PTR. You may modify usedns directive to "no" or "warn" in jail.conf.

chicks
  • 3,639
  • 10
  • 26
  • 36
plluksie
  • 458
  • 3
  • 10
0

In my case the warning was:

WARNING Determined IP using DNS Lookup: localhost = ['127.0.0.1', '127.0.0.1', '::1']

This appeared every 10s. Setting usedns=no was no option as I wanted to get the root cause - after all somewhere in my logs this "localhost" appeared. After trying a bunch of logs I took the "brute force" way:

find /var/log -type f -name '*.log' | xargs grep localhost -l

which gave me all the log files containing that "localhost" (which were only two, one of them the fail2ban.log itself).

It turned out that the "mysql/error.log" was the one. I dropped a database without stopping the service (omg...) which lead to (every 10s):

2021-01-20T05:31:17.784116Z 2680 [Note] Access denied for user 'myserviceaccount'@'localhost' (using password: YES).

In the end - no need to stop the warnings (just stop the service ;-) ).

Gerd
  • 101
  • 1