0

Lately when I query whois from one of our servers I almost always receive the following message indicating that we are exceedind daily usage limits:

Queries from your IP address have passed the daily limit of controlled objects:

%ERROR:201: access denied for xxxx:xxxx:x:x:xxxx:xxxx:xxxx:xxxx
%
% Queries from your IP address have passed the daily limit of controlled objects.
% Access from your host has been temporarily denied.

This happens whether or not I've done any lookups at all on a given day. Since I have only occasionally used this tool in the past I am left wondering how the quota could have been used up since no one else has command line access to our server and I'm reasonably sure that there has been no security compromise.

My question: Are there linux services or daemons that make use of the RIPE database service?

Eaten by a Grue
  • 282
  • 4
  • 22
  • 1
    Sadly, this is not the place for questions that elicit guessing and speculation. We have no idea what may be going on in your network. You can, however, ask this question in chat. – Ron Trunk May 13 '19 at 13:50
  • @RonTrunk - thanks, I have updated my question to something more specific that doesn't involve speculation. – Eaten by a Grue May 13 '19 at 13:56
  • 2
    We don't have access to your system and can only be guessing, but things like spamfilters and log analyzers may use whois data in their reports. You get check in your package manager what has `whois` of `jwhois` as a dependency/requirement – HBruijn May 13 '19 at 14:00
  • @HBruijn - Thanks for providing a clue as to how to investigate this myself and answer my own question. Since I'm guessing this scenario may have come up for others and thus have broader usefulness, I've answered my own question below. – Eaten by a Grue May 13 '19 at 14:13

1 Answers1

1

As noted in the comments, yes, certain services do in fact query the RIPE database. To investigate this I did reverse depends query of APT's package cache like this:

apt-cache rdepends --installed whois

This reveals the most likely culprit in my case: fail2ban

Thanks to @HBruijn for pointing out that I should check dependencies to answer my own question.

Eaten by a Grue
  • 282
  • 4
  • 22
  • 1
    You can turn off fail2ban's whois lookups. They usually aren't useful anyway. – Michael Hampton May 13 '19 at 16:20
  • @MichaelHampton - I have `action` set to `action_` which is the default `%(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]` — I would have thought that would be enough since it's not sending whois report but maybe not? Does fail2ban do the whois lookup regardless of the `action` setting? Can you suggest something else? I'm not sure if this is the correct approach but I created `mail-whois-common.local` and added `_whois = echo "whois disabled"` – Eaten by a Grue May 13 '19 at 17:05
  • Depends on what you set the `banaction` to, I suppose. – Michael Hampton May 13 '19 at 17:11
  • banaction is `iptables-multiport` – Eaten by a Grue May 13 '19 at 17:14
  • That doesn't send whois afaik. – Michael Hampton May 13 '19 at 17:16