[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#695734: Log IP instead of hostname


Having the IP address in the log would help prevent a potential denial of service attack on fail2ban users. Consider this auth.log and fail2ban.log

auth.log:Jul 14 02:21:00 servername sshd[9572]: User admin from search.example.org not allowed because none of user's groups are listed in AllowGroups

Access was really from attack.example.com []

fail2ban.log:2016-07-14 02:21:00,601 fail2ban.filter [30444]: WARNING Determined IP using DNS Lookup: search.example.org = ['']

And now search.example.org is blocked.

The concern is that a service like fail2ban only has the hostname to block with, but that the attacker might also control their reverse DNS entry and be able to block other hosts.


Jacob Anawalt
Gecko Software, Inc.

Reply to: