Fail2ban log filled with entries saying "fail2ban.filter : WARNING Determined IP using DNS Lookup:.."

linux ubuntu fail2ban log-files ip-blocking

My fail2ban log at /var/log/fail2ban.log is completely filled with entries saying:

fail2ban.filter : WARNING Determined IP using DNS Lookup: [IP address]

I think this may have begun after I changed my ssh port...

Any idea what the cause of this is and how to stop it?


Had the same issue.

Simple solution: add the following line at the top of your /etc/fail2ban/jail.conf file, in the [DEFAULT] section

usedns = no

To understand why your log file is being filled with warnings, consult the following page in the Fail2Ban wiki. It's basically to prevent people manipulating PTR record of their attack IPs to inject false values in your logs.


Check the PTR record of the [IP address] and compare the resolved name with the original IP address, i.e. 

drill -x ip_address or dig -x ip_address or host ip_address

Then compare the result with:

drill result or dig result or host result

It should be the same. If it is not - the attacker changed the PTR. You may modify usedns directive to "no" or "warn" in jail.conf.

Related

SSL Certificate management with Powershell DSC
getent passwd dosen't show users of LDAP server
cp -p will preserve times for some files but not all?
what is the difference between proxy_request_buffering and proxy_buffering on nginx?
Can't send to compressed (zipped) folder
systemd's journalctl: how to filter by message?
Systemctl: find out which commands are applicable for a service
KVM Host with 88 physical cores uses only 14 on 64 core Guest
Manage Multiple IIS servers without shared configuration
Sync Two IIS 8.5 Server configurations only excluding bindings
What is the difference between Ceph and NFS when it comes to shared file storage?
What could cause a systemd service stop to end with job being canceled?