Discussion:
[Fail2ban-users] fail2ban.filter : WARNING Determined IP using DNS Reverse Lookup: h1970896.xxxx.net = [xx1.xx9.xx2.x0']
Klaus Lehmann
2012-08-07 09:58:12 UTC
Permalink
hi


since some days there are strange entries in fail2ban.log, like this:
2012-08-07 11:41:16,741 fail2ban.filter : WARNING Determined IP using DNS Reverse Lookup: hxxxx.stratoserver.net = ['8x.1x.1x.3x']

they are only in fail2ban.log. I've not found them elsewhere.. (?) it's only a warning.

question:
where and how I can ban them?


my idea:
one more line in recidive.conf ??!!
[Definition]
_jailname = recidive
failregex = fail2ban.actions:\s+WARNING\s+\[(?:.*)\]\s+Ban\s+<HOST>

NEW: one line!
failregex = fail2ban.filter.:\s+WARNING Determined IP using DNS Reverse Lookup:.*=.*
would this line work? sorry, I'm not expert in regex... ;-(


thanks a lot and yours,
klaus
Tom Hendrikx
2012-08-07 10:10:19 UTC
Permalink
Post by Klaus Lehmann
hi
2012-08-07 11:41:16,741 fail2ban.filter : WARNING Determined IP using DNS Reverse Lookup: hxxxx.stratoserver.net = ['8x.1x.1x.3x']
they are only in fail2ban.log. I've not found them elsewhere.. (?) it's only a warning.
where and how I can ban them?
The log entry indocates that some other jail has seen an event including
the hostname, and f2b has looked up the ip address from the hostname in
the DNS. It might be a nice feature if the warning included the jail
name where the message originated from.

There is already a jail working on the IP, and if that jail should block
it, recidive should pick it up. There should be no need to update the
recidive regex, since the ip has not triggered any regular jail treshold
(yet).

--
Tom

Loading...