Bug#695734: Log IP instead of hostname

To: 695734@bugs.debian.org
Subject: Bug#695734: Log IP instead of hostname
From: "Jacob L. Anawalt" <janawalt@geckosoftware.com>
Date: Thu, 14 Jul 2016 10:26:40 -0600
Message-id: <[🔎] 4453b160-5ab5-a2e8-71ee-7c535396acd4@geckosoftware.com>
Reply-to: "Jacob L. Anawalt" <janawalt@geckosoftware.com>, 695734@bugs.debian.org

Hi,

Having the IP address in the log would help prevent a potential denial ofservice attack on fail2ban users. Consider this auth.log and fail2ban.log

auth.log:Jul 14 02:21:00 servername sshd[9572]: User admin fromsearch.example.org not allowed because none of user's groups are listed inAllowGroups


Access was really from attack.example.com [192.0.2.2]

fail2ban.log:2016-07-14 02:21:00,601 fail2ban.filter [30444]: WARNING DeterminedIP using DNS Lookup: search.example.org = ['198.51.100.10']


And now search.example.org is blocked.

The concern is that a service like fail2ban only has the hostname to block with,but that the attacker might also control their reverse DNS entry and be able toblock other hosts.


http://www.fail2ban.org/wiki/index.php/Hostnames_or_IP_Addresses

Thanks,
--
Jacob Anawalt
Gecko Software, Inc.
janawalt@geckosoftware.com
435-752-8026

Reply to:

Prev by Date: Bug#594175: openssh-server: support generation of ssh host keys in init script
Next by Date: Bug#714526: Followup on upstream patch and backport
Previous by thread: Bug#594175: openssh-server: support generation of ssh host keys in init script
Next by thread: Bug#714526: Followup on upstream patch and backport
Index(es):
- Date
- Thread