fail2ban.filter warning unable to find a corresponding IP address

Идет перебор паролей по ftp, а fail2ban не блокирует и валит ошибки в лог.

Итак, в файле /var/log/secure имеем примерно следующие записи:

May  7 20:03:26 serv01 vsftpd[5631]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=testuser123 rhost=host-151-250-212-66.reverse.superonline.net
May  7 20:03:31 serv01 vsftpd[5633]: pam_unix(vsftpd:auth): check pass; user unknown
May  7 20:03:31 serv01 vsftpd[5633]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=testuser123 rhost=host-151-250-212-66.reverse.superonline.net
May  7 20:03:35 serv01 vsftpd[5635]: pam_unix(vsftpd:auth): check pass; user unknown
May  7 20:03:35 serv01 vsftpd[5635]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=testuser123 rhost=host-151-250-212-66.reverse.superonline.net
May  7 20:03:38 serv01 vsftpd[5637]: pam_unix(vsftpd:auth): check pass; user unknown
May  7 20:03:38 serv01 vsftpd[5637]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=testuser123 rhost=host-151-250-212-66.reverse.superonline.net

May 7 20:03:26 serv01 vsftpd[5631]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=testuser123 rhost=host-151-250-212-66.reverse.superonline.net

May 7 20:03:31 serv01 vsftpd[5633]: pam_unix(vsftpd:auth): check pass; user unknown

May 7 20:03:31 serv01 vsftpd[5633]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=testuser123 rhost=host-151-250-212-66.reverse.superonline.net

May 7 20:03:35 serv01 vsftpd[5635]: pam_unix(vsftpd:auth): check pass; user unknown

May 7 20:03:35 serv01 vsftpd[5635]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=testuser123 rhost=host-151-250-212-66.reverse.superonline.net

May 7 20:03:38 serv01 vsftpd[5637]: pam_unix(vsftpd:auth): check pass; user unknown

May 7 20:03:38 serv01 vsftpd[5637]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=testuser123 rhost=host-151-250-212-66.reverse.superonline.net

А в логе fail2ban такие вот записи /var/log/fail2ban.log

2015-05-08 10:09:27,644 fail2ban.filter         [15230]: WARNING Unable to find a corresponding IP address for host-151-250-212-66.reverse.superonline.net: [Errno -2] Name or service not known
2015-05-08 10:09:27,651 fail2ban.filter         [15230]: WARNING Unable to find a corresponding IP address for host-151-250-212-66.reverse.superonline.net: [Errno -2] Name or service not known
2015-05-08 10:09:27,658 fail2ban.filter         [15230]: WARNING Unable to find a corresponding IP address for host-151-250-212-66.reverse.superonline.net: [Errno -2] Name or service not known
2015-05-08 10:09:27,665 fail2ban.filter         [15230]: WARNING Unable to find a corresponding IP address for host-151-250-212-66.reverse.superonline.net: [Errno -2] Name or service not known
2015-05-08 10:09:27,673 fail2ban.filter         [15230]: WARNING Unable to find a corresponding IP address for host-151-250-212-66.reverse.superonline.net: [Errno -2] Name or service not known
2015-05-08 10:09:27,680 fail2ban.filter         [15230]: WARNING Unable to find a corresponding IP address for host-151-250-212-66.reverse.superonline.net: [Errno -2] Name or service not known

2015-05-08 10:09:27,644 fail2ban.filter [15230]: WARNING Unable to find a corresponding IP address for host-151-250-212-66.reverse.superonline.net: [Errno -2] Name or service not known

2015-05-08 10:09:27,651 fail2ban.filter [15230]: WARNING Unable to find a corresponding IP address for host-151-250-212-66.reverse.superonline.net: [Errno -2] Name or service not known

2015-05-08 10:09:27,658 fail2ban.filter [15230]: WARNING Unable to find a corresponding IP address for host-151-250-212-66.reverse.superonline.net: [Errno -2] Name or service not known

2015-05-08 10:09:27,665 fail2ban.filter [15230]: WARNING Unable to find a corresponding IP address for host-151-250-212-66.reverse.superonline.net: [Errno -2] Name or service not known

2015-05-08 10:09:27,673 fail2ban.filter [15230]: WARNING Unable to find a corresponding IP address for host-151-250-212-66.reverse.superonline.net: [Errno -2] Name or service not known

2015-05-08 10:09:27,680 fail2ban.filter [15230]: WARNING Unable to find a corresponding IP address for host-151-250-212-66.reverse.superonline.net: [Errno -2] Name or service not known

И к сожалению fail2ban не банит этих вот переборщиков. Проблема оказалась довольно банальной — fail2ban ждет IP адреса, а vsftpd резолвит их в днс-имена. Решение простое.
1. В конфиг vsftpd добавляем строчку

dual_log_enable=YES

1	dual_log_enable=YES

Перезапускаем vsftpd, и проверяем появился ли лог-файл /var/log/vsftpd.log
В файле /etc/fail2ban/path-common.conf для vsftpd меняем путь к лог файлу, вместо

vsftpd_log = /var/log/secure

1	vsftpd_log = /var/log/secure

делаем

vsftpd_log = /var/log/vsftpd.log

1	vsftpd_log = /var/log/vsftpd.log

Перезапускаем fail2ban. Все.

Добавить комментарий Отменить ответ