Ubuntu
fail2ban package

fail2ban failes if dns has more than one ip

Bug #646501 reported by Torsten
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
fail2ban (Ubuntu)
New
Undecided
Unassigned

Bug Description

Binary package hint: fail2ban

Hi,
for me fail2log isn't working for pure-ftp.
I guess this is because the accessing dns resolves to 2 ips.

nslookup ip-81-27-192-60.net.upc.cz

Non-authoritative answer:
Name: ip-81-27-192-60.net.upc.cz
Address: 62.157.140.133
Name: ip-81-27-192-60.net.upc.cz
Address: 80.156.86.78

Syslog:
Sep 24 02:40:01 b5 CRON[1431]: (munin) CMD (if [ -x /usr/bin/munin-cron ]; then /usr/bin/munin-cron; fi)
Sep 24 02:40:04 b5 pure-ftpd: (?@ip-81-27-192-60.net.upc.cz) [WARNING] Authentication failed for user [brian]
Sep 24 02:40:04 b5 pure-ftpd: (?@ip-81-27-192-60.net.upc.cz) [INFO] PAM_RHOST enabled. Getting the peer address
Sep 24 02:40:21 b5 pure-ftpd: (?@ip-81-27-192-60.net.upc.cz) [WARNING] Authentication failed for user [brian]
Sep 24 02:40:21 b5 pure-ftpd: (?@ip-81-27-192-60.net.upc.cz) [INFO] PAM_RHOST enabled. Getting the peer address
Sep 24 02:40:38 b5 pure-ftpd: (?@ip-81-27-192-60.net.upc.cz) [WARNING] Authentication failed for user [brian]
Sep 24 02:40:38 b5 pure-ftpd: (?@ip-81-27-192-60.net.upc.cz) [INFO] PAM_RHOST enabled. Getting the peer address
Sep 24 02:40:59 b5 pure-ftpd: (?@ip-81-27-192-60.net.upc.cz) [ERROR] Too many authentication failures
Sep 24 02:40:59 b5 pure-ftpd: (?@ip-81-27-192-60.net.upc.cz) [INFO] New connection from ip-81-27-192-60.net.upc.cz
Sep 24 02:40:59 b5 pure-ftpd: (?@ip-81-27-192-60.net.upc.cz) [INFO] PAM_RHOST enabled. Getting the peer address
Sep 24 02:41:04 b5 pure-ftpd: (?@ip-81-27-192-60.net.upc.cz) [WARNING] Authentication failed for user [brian]
Sep 24 02:41:05 b5 pure-ftpd: (?@ip-81-27-192-60.net.upc.cz) [INFO] PAM_RHOST enabled. Getting the peer address
Sep 24 02:41:14 b5 pure-ftpd: (?@ip-81-27-192-60.net.upc.cz) [WARNING] Authentication failed for user [brian]
Sep 24 02:41:14 b5 pure-ftpd: (?@ip-81-27-192-60.net.upc.cz) [INFO] PAM_RHOST enabled. Getting the peer address
Sep 24 02:41:26 b5 pure-ftpd: (?@ip-81-27-192-60.net.upc.cz) [WARNING] Authentication failed for user [brian]
Sep 24 02:41:26 b5 pure-ftpd: (?@ip-81-27-192-60.net.upc.cz) [INFO] PAM_RHOST enabled. Getting the peer address
Sep 24 02:41:41 b5 pure-ftpd: (?@ip-81-27-192-60.net.upc.cz) [WARNING] Authentication failed for user [brian]
Sep 24 02:41:41 b5 pure-ftpd: (?@ip-81-27-192-60.net.upc.cz) [INFO] PAM_RHOST enabled. Getting the peer address
Sep 24 02:41:59 b5 pure-ftpd: (?@ip-81-27-192-60.net.upc.cz) [WARNING] Authentication failed for user [brian]
Sep 24 02:41:59 b5 pure-ftpd: (?@ip-81-27-192-60.net.upc.cz) [INFO] PAM_RHOST enabled. Getting the peer address
Sep 24 02:42:20 b5 pure-ftpd: (?@ip-81-27-192-60.net.upc.cz) [ERROR] Too many authentication failures
Sep 24 02:42:20 b5 pure-ftpd: (?@ip-81-27-192-60.net.upc.cz) [INFO] New connection from ip-81-27-192-60.net.upc.cz
Sep 24 02:42:20 b5 pure-ftpd: (?@ip-81-27-192-60.net.upc.cz) [INFO] PAM_RHOST enabled. Getting the peer address
Sep 24 02:42:26 b5 pure-ftpd: (?@ip-81-27-192-60.net.upc.cz) [WARNING] Authentication failed for user [brian]
Sep 24 02:42:26 b5 pure-ftpd: (?@ip-81-27-192-60.net.upc.cz) [INFO] PAM_RHOST enabled. Getting the peer address
Sep 24 02:42:36 b5 pure-ftpd: (?@ip-81-27-192-60.net.upc.cz) [WARNING] Authentication failed for user [brian]
Sep 24 02:42:36 b5 pure-ftpd: (?@ip-81-27-192-60.net.upc.cz) [INFO] PAM_RHOST enabled. Getting the peer address
Sep 24 02:42:50 b5 pure-ftpd: (?@ip-81-27-192-60.net.upc.cz) [WARNING] Authentication failed for user [brian]
Sep 24 02:42:50 b5 pure-ftpd: (?@ip-81-27-192-60.net.upc.cz) [INFO] PAM_RHOST enabled. Getting the peer address
Sep 24 02:43:04 b5 pure-ftpd: (?@ip-81-27-192-60.net.upc.cz) [WARNING] Authentication failed for user [brian]
Sep 24 02:43:04 b5 pure-ftpd: (?@ip-81-27-192-60.net.upc.cz) [INFO] PAM_RHOST enabled. Getting the peer address

fail2ban.log:
2010-09-24 02:32:13,457 fail2ban.actions: WARNING [pure-ftpd] Unban 62.157.140.133
2010-09-24 02:32:13,475 fail2ban.actions: WARNING [pure-ftpd] Unban 80.156.86.78
2010-09-24 02:32:14,494 fail2ban.actions: WARNING [pure-ftpd] Ban 62.157.140.133
2010-09-24 02:32:14,512 fail2ban.actions: WARNING [pure-ftpd] Ban 80.156.86.78
2010-09-24 02:33:41,616 fail2ban.actions: WARNING [pure-ftpd] 62.157.140.133 already banned
2010-09-24 02:33:42,617 fail2ban.actions: WARNING [pure-ftpd] 80.156.86.78 already banned
2010-09-24 02:35:04,694 fail2ban.actions: WARNING [pure-ftpd] 62.157.140.133 already banned
2010-09-24 02:35:05,695 fail2ban.actions: WARNING [pure-ftpd] 80.156.86.78 already banned
2010-09-24 02:36:27,778 fail2ban.actions: WARNING [pure-ftpd] 62.157.140.133 already banned
2010-09-24 02:36:28,779 fail2ban.actions: WARNING [pure-ftpd] 80.156.86.78 already banned
2010-09-24 02:37:53,861 fail2ban.actions: WARNING [pure-ftpd] 62.157.140.133 already banned
2010-09-24 02:37:54,862 fail2ban.actions: WARNING [pure-ftpd] 80.156.86.78 already banned
2010-09-24 02:39:17,942 fail2ban.actions: WARNING [pure-ftpd] 62.157.140.133 already banned
2010-09-24 02:39:18,943 fail2ban.actions: WARNING [pure-ftpd] 80.156.86.78 already banned
2010-09-24 02:40:40,025 fail2ban.actions: WARNING [pure-ftpd] 62.157.140.133 already banned
2010-09-24 02:40:41,026 fail2ban.actions: WARNING [pure-ftpd] 80.156.86.78 already banned
2010-09-24 02:42:01,104 fail2ban.actions: WARNING [pure-ftpd] 62.157.140.133 already banned
2010-09-24 02:42:02,106 fail2ban.actions: WARNING [pure-ftpd] 80.156.86.78 already banned
2010-09-24 02:42:15,122 fail2ban.actions: WARNING [pure-ftpd] Unban 62.157.140.133
2010-09-24 02:42:15,138 fail2ban.actions: WARNING [pure-ftpd] Unban 80.156.86.78
2010-09-24 02:43:25,221 fail2ban.actions: WARNING [pure-ftpd] Ban 62.157.140.133
2010-09-24 02:43:25,240 fail2ban.actions: WARNING [pure-ftpd] Ban 80.156.86.78

If I add
iptables -I fail2ban-pure-ftpd 1 -s ip-81-27-192-60.net.upc.cz -j DROP
by hand, the accesses are terminated.

Thanks for reading

 Torsten

Architecture: i386
Date: Fri Sep 24 02:48:32 2010
Dependencies:
  coreutils 7.4-2ubuntu2
  debconf 1.5.28ubuntu4
  debconf-i18n 1.5.28ubuntu4
  dpkg 1.15.5.6ubuntu4.3
  findutils 4.4.2-1ubuntu1
  gcc-4.4-base 4.4.3-4ubuntu5
  libacl1 2.2.49-2
  libattr1 1:2.4.44-1
  libbz2-1.0 1.0.5-4ubuntu0.1
  libc-bin 2.11.1-0ubuntu7.2
  libc6 2.11.1-0ubuntu7.2
  libdb4.8 4.8.24-1ubuntu1
  libgcc1 1:4.4.3-4ubuntu5
  liblocale-gettext-perl 1.05-6
  libncurses5 5.7+20090803-2ubuntu3
  libncursesw5 5.7+20090803-2ubuntu3
  libreadline6 6.1-1
  libselinux1 2.0.89-4
  libsqlite3-0 3.6.22-1
  libssl0.9.8 0.9.8k-7ubuntu8.1
  libstdc++6 4.4.3-4ubuntu5
  libtext-charwidth-perl 0.04-6
  libtext-iconv-perl 1.7-2
  libtext-wrapi18n-perl 0.06-7
  lsb-base 4.0-0ubuntu8
  lzma 4.43-14ubuntu2
  mime-support 3.48-1ubuntu1
  ncurses-bin 5.7+20090803-2ubuntu3
  perl-base 5.10.1-8ubuntu2
  python 2.6.5-0ubuntu1
  python-central 0.6.15ubuntu1
  python-minimal 2.6.5-0ubuntu1
  python2.6 2.6.5-1ubuntu6
  python2.6-minimal 2.6.5-1ubuntu6
  readline-common 6.1-1
  sed 4.2.1-6
  tzdata 2010l-0ubuntu0.10.04
  zlib1g 1:1.2.3.3.dfsg-15ubuntu1
DistroRelease: Ubuntu 10.04
InstallationMedia: Ubuntu-Server 10.04 "Lucid Lynx" - Release Candidate i386 (20100419.1)
NonfreeKernelModules: nvidia
Package: fail2ban 0.8.4-1ubuntu1
PackageArchitecture: all
ProblemType: Bug
ProcEnviron:
  LANG=de_DE.UTF-8
  SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.32-24.43-generic-pae 2.6.32.15+drm33.5
SourcePackage: fail2ban
Tags: lucid
Uname: Linux 2.6.32-24-generic-pae i686

Revision history for this message
Daniel Black (daniel-black) wrote :

https://github.com/fail2ban/fail2ban/blob/ea1948eff40953b4590858698ced9f6b4c3733f8/server/filter.py#L377

looks like it adds failures for all DNS resolution for a long time.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.