fail2ban - no IP what now?

[vonedaddy]

I have an FTP server (vsftp on fedora 8) running with fail2ban (which works incredible by the way) and it has been up and secure for over a month without any issues. Fail2ban bans about 3 - 5 IP addresses daily, most from China. Anyway I have a script that emails me the logs every more, this morning I see someone trying to get in, but there is no IP therefore fail2ban can no do its thing.

From /var/log/secure:

Jan 31 07:00:49 bighat vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator
Jan 31 07:00:54 bighat vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Jan 31 07:00:54 bighat vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=atlas.econet.cz
Jan 31 07:00:54 bighat vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user Administrator


As you see a domain instead of the usual IP address comes up. This stops fail2bans effectiveness, does anyone know how I can get this domain to be blocked automatically. Or is there an option I can put in fail2ban config to also add domains to the ban list?

Any help or ideas would be appreciated.

[Evil_Bert]

Well, I haven't actually used Fail2ban, but technically, iptables (which is called by Fail2ban) will work with either hostname or IP address, though using names is a bad idea since DNS resolution may fail or be very slow.

According to this HOWTO, Fail2ban passes either hostname or IP address to iptables which creates the appropriate rule.

To get round any hostname resolution issues, you'll have to look for an option either in the daemon being protected (e.g. sshd) to log IP addresses not hostnames (preferable, I would think), or in Fail2ban to do a DNS lookup before passing to iptables (I'm not sure if this is possible).

For example, in your sshd_config file (I think the default is supposed to be /etc/ssh/sshd_config), there should be an option called 'UseDNS', which defaults to 'yes'. This causes sshd to resolve IP addresses (and check the hostname maps back to the IP address). Given the ease with which addresses can be spoofed, even to one matching an real host, and since you're using Fail2ban as your primary defence mechanism, you should consider setting this option to 'no'.