Unable to find a corresponding IP address for authenticating: Name does not resolve #77

schklom · 2020-10-29T18:12:18Z

Behaviour

I made a remote PC try to ssh with password to my raspberry pi server with password authentication turned off (only public key), and it doesn't recognize the IP address.

Steps to reproduce this issue

jail.local

jail.d/jail.local

[DEFAULT]
bantime			= 1h
maxretry		= 3
findtime		= 1h
ignoreip		= 127.0.0.1/8 ::1 10.0.0.1/24
logencoding		= auto
usedns			= warn
enabled			= false
mode			= aggressive
destemail		= myemail@gmail.com
sendername		= Fail2Ban Schklom
fq-hostname		= Schklom
port			= 0:65535
#banaction		= iptables-multiport
banaction		= iptables-allports
protocol		= tcp
bantime.increment	= true
bantime.factor		= 1
bantime.maxtime		= 4w
bantime.rndtime		= 38

# Email with sendername activated (copied from jail.conf and arranged according to git issue below)
# Email with fq-hostname activated (copied from jail.conf and arranged according to git issue below)
# https://github.com/fail2ban/fail2ban/issues/2071
action_mwl			= %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
				  %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", sendername="%(sendername)s", fq-hostname="%(fq-hostname)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
action				= %(action_mwl)s

sshd_log			= /var/log/auth.log

Jail sshd

jail.d/sshd.local

[sshd]
enabled		= true
chain		= INPUT
port		= 1234
filter		= sshd[mode=aggressive]
logpath		= %(sshd_log)s
maxretry	= 3
# When I turn off usedns, the log's line "Unable to ..." disappears, but still no ban
#usedns		= no

Filter added to sshd
I tried to manually make the line recognized, but this doesn't work either.

filter.d/sshd.local

[Definition]
failregex =	%(known/failregex)s
		%(__prefix_line)sConnection closed by authenticating user <F-USER>.+</F-USER> <HOST> port \d+ [preauth]$

Expected behaviour

The ip should be banned when /var/log/auth.log has these lines

Oct 29 17:58:34 raspberrypi sshd[25644]: Connection reset by authenticating user pi 123.456.78.910 port 53945 [preauth]
Oct 29 17:59:24 raspberrypi sshd[25960]: Connection reset by authenticating user pi 123.456.78.910 port 53977 [preauth]
Oct 29 18:38:10 raspberrypi sshd[32493]: Connection reset by authenticating user pi 123.456.78.910 port 61479 [preauth]

Actual behaviour

It doesn't read the IP, and doesn't ban it.

Configuration

Docker version (type docker --version) : Docker version 19.03.13, build 4484c46
Docker compose version if applicable (type docker-compose --version) : docker-compose version 1.27.3, build unknown
Platform (Debian 9, Ubuntu 18.04, ...) : Raspberry Pi OS (based on Debian 10)
System info (type uname -a) : Linux raspberrypi 5.4.72-v7l+ #1356 SMP Thu Oct 22 13:57:51 BST 2020 armv7l GNU/Linux
Include all necessary configuration files : docker-compose.yml, .env, ...

docker-compose.yml

version: "3.8"
services:
fail2ban:
    image: crazymax/fail2ban:latest
    container_name: fail2ban
    security_opt:
      - no-new-privileges:true
    network_mode: "host"
    cap_add:
      - NET_ADMIN
      - NET_RAW
    volumes:
      - ${DOCKERCONFIG}/fail2ban:/data
      - /var/log:/var/log:ro
    environment:
      - TZ=${TZ}
      - F2B_LOG_TARGET=STDOUT
      - F2B_LOG_LEVEL=DEBUG
      - F2B_DB_PURGE_AGE=1d
      - SSMTP_HOST=smtp.gmail.com
      - SSMTP_PORT=465
      - SSMTP_HOSTNAME=gmail.com
      - SSMTP_USER=${FAIL2BAN_SSMTP_USER}
      - SSMTP_PASSWORD=${FAIL2BAN_SSMTP_PASSWORD}
      - SSMTP_TLS=YES
    restart: always

Docker info

> Output of command `docker info`

Client:
 Debug Mode: false

Server:
 Containers: 10
  Running: 9
  Paused: 0
  Stopped: 1
 Images: 12
 Server Version: 19.03.13
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 8fba4e9a7d01810a393d5d25a3621dc101981175
 runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
 init version: fec3683
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 5.4.72-v7l+
 Operating System: Raspbian GNU/Linux 10 (buster)
 OSType: linux
 Architecture: armv7l
 CPUs: 4
 Total Memory: 7.691GiB
 Name: raspberrypi
 ID: HNQJ:2QLW:NIJP:OCJQ:6RLW:B7TX:EGNG:VBNS:MLKF:76S3:DMWF:CWNU
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No memory limit support
WARNING: No swap limit support
WARNING: No kernel memory limit support
WARNING: No kernel memory TCP limit support
WARNING: No oom kill disable support

### Logs

docker logs fail2ban

Setting timezone to Europe/Oslo...
Setting SSMTP configuration...
Initializing files and folders...
Setting Fail2ban configuration...
Checking for custom actions in /data/action.d...
Checking for custom filters in /data/filter.d...
  Add custom filter sshd.local...
2020-10-29 18:53:44,378 fail2ban.configreader   [1]: INFO    Loading configs for fail2ban under /etc/fail2ban
2020-10-29 18:53:44,385 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/fail2ban.conf']
2020-10-29 18:53:44,388 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/fail2ban.conf']
2020-10-29 18:53:44,395 fail2ban                [1]: INFO    Using socket file /var/run/fail2ban/fail2ban.sock
2020-10-29 18:53:44,396 fail2ban                [1]: INFO    Using pid file /var/run/fail2ban/fail2ban.pid, [DEBUG] logging to STDOUT
2020-10-29 18:53:44,407 fail2ban.configreader   [1]: INFO    Loading configs for jail under /etc/fail2ban
2020-10-29 18:53:44,409 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/jail.conf']
2020-10-29 18:53:44,460 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/paths-debian.conf']
2020-10-29 18:53:44,469 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/paths-common.conf']
2020-10-29 18:53:44,473 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/paths-overrides.local']
2020-10-29 18:53:44,490 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/jail.d/sshd.local']
2020-10-29 18:53:44,500 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/paths-common.conf', '/etc/fail2ban/paths-debian.conf', '/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.d/jail.local',  '/etc/fail2ban/jail.d/sshd.local']
2020-10-29 18:53:44,504 fail2ban.configreader   [1]: INFO    Loading configs for filter.d/sshd under /etc/fail2ban
2020-10-29 18:53:44,512 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/filter.d/sshd.conf']
2020-10-29 18:53:44,518 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/filter.d/common.conf']
2020-10-29 18:53:44,523 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/filter.d/common.local']
2020-10-29 18:53:44,524 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/filter.d/sshd.local']
2020-10-29 18:53:44,525 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/filter.d/common.conf', '/etc/fail2ban/filter.d/sshd.conf', '/etc/fail2ban/filter.d/sshd.local']
2020-10-29 18:53:44,558 fail2ban.configreader   [1]: INFO    Loading configs for action.d/iptables-allports under /etc/fail2ban
2020-10-29 18:53:44,560 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/action.d/iptables-allports.conf']
2020-10-29 18:53:44,565 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/action.d/iptables-common.conf']
2020-10-29 18:53:44,569 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/action.d/iptables-blocktype.local']
2020-10-29 18:53:44,570 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/action.d/iptables-common.local']
2020-10-29 18:53:44,571 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/action.d/iptables-common.conf', '/etc/fail2ban/action.d/iptables-allports.conf']
2020-10-29 18:53:44,576 fail2ban.configreader   [1]: INFO    Loading configs for action.d/sendmail-whois-lines under /etc/fail2ban
2020-10-29 18:53:44,578 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/action.d/sendmail-whois-lines.conf']
2020-10-29 18:53:44,582 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/action.d/sendmail-common.conf']
2020-10-29 18:53:44,585 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/action.d/sendmail-common.local']
2020-10-29 18:53:44,587 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/action.d/mail-whois-common.conf']
2020-10-29 18:53:44,589 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/action.d/mail-whois-common.local']
2020-10-29 18:53:44,595 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/action.d/helpers-common.conf']
2020-10-29 18:53:44,597 fail2ban.configparserin [1]: INFO      Loading files: ['/etc/fail2ban/action.d/sendmail-common.conf', '/etc/fail2ban/action.d/mail-whois-common.conf', '/etc/fail2ban/action.d/helpers-common.conf', '/etc/fail2ban/action.d/sendmail-whois-lines.conf']
2020-10-29 18:53:44,758 fail2ban.server         [1]: INFO    --------------------------------------------------
2020-10-29 18:53:44,759 fail2ban.server         [1]: INFO    Starting Fail2ban v0.11.1
2020-10-29 18:53:44,760 fail2ban.server         [1]: DEBUG   Creating PID file /var/run/fail2ban/fail2ban.pid
2020-10-29 18:53:44,763 fail2ban.observer       [1]: INFO    Observer start...
2020-10-29 18:53:44,767 fail2ban.server         [1]: DEBUG   Starting communication
2020-10-29 18:53:44,783 fail2ban.database       [1]: INFO    Connected to fail2ban persistent database '/data/db/fail2ban.sqlite3'
2020-10-29 18:53:44,786 fail2ban.jail           [1]: INFO    Creating new jail 'sshd'
2020-10-29 18:53:44,818 fail2ban.jail           [1]: INFO    Jail 'sshd' uses pyinotify {}
2020-10-29 18:53:44,819 fail2ban.filter         [1]: DEBUG   Setting usedns = warn for FilterPyinotify(Jail('sshd'))
2020-10-29 18:53:44,819 fail2ban.filter         [1]: DEBUG   Created FilterPyinotify(Jail('sshd'))
2020-10-29 18:53:44,822 fail2ban.filterpyinotif [1]: DEBUG   Created FilterPyinotify
2020-10-29 18:53:44,822 fail2ban.jail           [1]: INFO    Initiated 'pyinotify' backend
2020-10-29 18:53:44,824 fail2ban.filter         [1]: DEBUG   Setting usedns = warn for FilterPyinotify(Jail('sshd'))
2020-10-29 18:53:44,824 fail2ban.server         [1]: DEBUG     prefregex: '^<F-MLFID>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel:\\s?\\[ *\\d+\\.\\d+\\]:?\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?</F-MLFID>(?:(?:error|fatal): (?:PAM: )?)?<F-CONTENT>.+</F-CONTENT>$'
2020-10-29 18:53:44,831 fail2ban.filter         [1]: INFO      maxLines: 1
2020-10-29 18:53:44,832 fail2ban.server         [1]: DEBUG     failregex: '^[aA]uthentication (?:failure|error|failed) for <F-USER>.*</F-USER> from <HOST>( via \\S+)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
2020-10-29 18:53:44,838 fail2ban.server         [1]: DEBUG     failregex: '^User not known to the underlying authentication module for <F-USER>.*</F-USER> from <HOST>(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
2020-10-29 18:53:44,843 fail2ban.server         [1]: DEBUG     failregex: '^Failed publickey for invalid user <F-USER>(?P<cond_user>\\S+)|(?:(?! from ).)*?</F-USER> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2020-10-29 18:53:44,849 fail2ban.server         [1]: DEBUG     failregex: '^Failed \\b(?!publickey)\\S+ for (?P<cond_inv>invalid user )?<F-USER>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)</F-USER> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2020-10-29 18:53:44,857 fail2ban.server         [1]: DEBUG     failregex: '^<F-USER>ROOT</F-USER> LOGIN REFUSED FROM <HOST>'
2020-10-29 18:53:44,861 fail2ban.server         [1]: DEBUG     failregex: '^[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from <HOST>(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
2020-10-29 18:53:44,867 fail2ban.server         [1]: DEBUG     failregex: '^User <F-USER>.+</F-USER> from <HOST> not allowed because not listed in AllowUsers(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
2020-10-29 18:53:44,872 fail2ban.server         [1]: DEBUG     failregex: '^User <F-USER>.+</F-USER> from <HOST> not allowed because listed in DenyUsers(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
2020-10-29 18:53:44,878 fail2ban.server         [1]: DEBUG     failregex: '^User <F-USER>.+</F-USER> from <HOST> not allowed because not in any group(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
2020-10-29 18:53:44,884 fail2ban.server         [1]: DEBUG     failregex: '^refused connect from \\S+ \\(<HOST>\\)'
2020-10-29 18:53:44,888 fail2ban.server         [1]: DEBUG     failregex: '^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}:\\s*3: .*: Auth fail(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
2020-10-29 18:53:44,894 fail2ban.server         [1]: DEBUG     failregex: '^User <F-USER>.+</F-USER> from <HOST> not allowed because a group is listed in DenyGroups(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
2020-10-29 18:53:44,900 fail2ban.server         [1]: DEBUG     failregex: "^User <F-USER>.+</F-USER> from <HOST> not allowed because none of user's groups are listed in AllowGroups(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$"
2020-10-29 18:53:44,907 fail2ban.server         [1]: DEBUG     failregex: '^<F-NOFAIL>pam_[a-z]+\\(sshd:auth\\):\\s+authentication failure;</F-NOFAIL>(?:\\s+(?:(?:logname|e?uid|tty)=\\S*)){0,4}\\s+ruser=<F-ALT_USER>\\S*</F-ALT_USER>\\s+rhost=<HOST>(?:\\s+user=<F-USER>\\S*</F-USER>)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
2020-10-29 18:53:44,915 fail2ban.server         [1]: DEBUG     failregex: '^(error: )?maximum authentication attempts exceeded for <F-USER>.*</F-USER> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}(?: ssh\\d*)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
2020-10-29 18:53:44,923 fail2ban.server         [1]: DEBUG     failregex: '^User <F-USER>.+</F-USER> not allowed because account is locked(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*'
2020-10-29 18:53:44,926 fail2ban.server         [1]: DEBUG     failregex: '^<F-MLFFORGET>Disconnecting</F-MLFFORGET>(?: from)?(?: (?:invalid|authenticating)) user <F-USER>\\S+</F-USER> <HOST>(?: (?:port \\d+|on \\S+)){0,2}:\\s*Change of username or service not allowed:\\s*.*\\[preauth\\]\\s*$'
2020-10-29 18:53:44,933 fail2ban.server         [1]: DEBUG     failregex: '^<F-MLFFORGET>Disconnecting</F-MLFFORGET>: Too many authentication failures(?: for <F-USER>.+?</F-USER>)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
2020-10-29 18:53:44,937 fail2ban.server         [1]: DEBUG     failregex: '^<F-NOFAIL>Received <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}:\\s*11:'
2020-10-29 18:53:44,942 fail2ban.server         [1]: DEBUG     failregex: '^<F-MLFFORGET>(Connection closed|Disconnected)</F-MLFFORGET> (?:by|from)(?: (?:invalid|authenticating) user <F-USER>\\S+|.+?</F-USER>)? <HOST>(?: (?:port \\d+|on \\S+)){0,2}\\s+\\[preauth\\]\\s*$'
2020-10-29 18:53:44,949 fail2ban.server         [1]: DEBUG     failregex: '^<F-MLFFORGET><F-MLFGAINED>Accepted \\w+</F-MLFGAINED></F-MLFFORGET> for <F-USER>\\S+</F-USER> from <HOST>(?:\\s|$)'
2020-10-29 18:53:44,955 fail2ban.server         [1]: DEBUG     failregex: '^Did not receive identification string from <HOST>'
2020-10-29 18:53:44,971 fail2ban.server         [1]: DEBUG     failregex: "^Bad protocol version identification '.*' from <HOST>"
2020-10-29 18:53:44,976 fail2ban.server         [1]: DEBUG     failregex: '^Connection <F-MLFFORGET>reset</F-MLFFORGET> by <HOST>'
2020-10-29 18:53:44,980 fail2ban.server         [1]: DEBUG     failregex: '^<F-NOFAIL>SSH: Server;Ltype:</F-NOFAIL> (?:Authname|Version|Kex);Remote: <HOST>-\\d+;[A-Z]\\w+:'
2020-10-29 18:53:44,991 fail2ban.server         [1]: DEBUG     failregex: '^Read from socket failed: Connection <F-MLFFORGET>reset</F-MLFFORGET> by peer'
2020-10-29 18:53:44,992 fail2ban.server         [1]: DEBUG     failregex: '^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}:\\s*14: No supported authentication methods available'
2020-10-29 18:53:45,003 fail2ban.server         [1]: DEBUG     failregex: '^Unable to negotiate with <HOST>(?: (?:port \\d+|on \\S+)){0,2}: no matching (?:(?:\\w+ (?!found\\b)){0,2}\\w+) found.'
2020-10-29 18:53:45,008 fail2ban.server         [1]: DEBUG     failregex: '^Unable to negotiate a (?:(?:\\w+ (?!found\\b)){0,2}\\w+)'
2020-10-29 18:53:45,010 fail2ban.server         [1]: DEBUG     failregex: '^no matching (?:(?:\\w+ (?!found\\b)){0,2}\\w+) found:'
2020-10-29 18:53:45,012 fail2ban.server         [1]: DEBUG     failregex: '^<F-NOFAIL>Connection from</F-NOFAIL> <HOST>'
2020-10-29 18:53:45,016 fail2ban.server         [1]: DEBUG     failregex: '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel:\\s?\\[ *\\d+\\.\\d+\\]:?\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?Connection closed by authenticating user <F-USER>.+</F-USER> <HOST> port \\d+ [preauth]$'
2020-10-29 18:53:45,049 fail2ban.filter         [1]: INFO      maxRetry: 3
2020-10-29 18:53:45,050 fail2ban.filter         [1]: INFO      findtime: 3600
2020-10-29 18:53:45,051 fail2ban.actions        [1]: INFO      banTime: 3600
2020-10-29 18:53:45,051 fail2ban.jail           [1]: INFO    Set banTime.increment = True
2020-10-29 18:53:45,052 fail2ban.jail           [1]: INFO    Set banTime.factor = 1
2020-10-29 18:53:45,052 fail2ban.jail           [1]: INFO    Set banTime.maxtime = 4w
2020-10-29 18:53:45,053 fail2ban.jail           [1]: INFO    Set banTime.rndtime = 38
2020-10-29 18:53:45,055 fail2ban.filter         [1]: DEBUG     Add '127.0.0.0/8' to ignore list ('127.0.0.1/8')
2020-10-29 18:53:45,055 fail2ban.filter         [1]: DEBUG     Add '::1' to ignore list ('::1')
2020-10-29 18:53:45,056 fail2ban.filter         [1]: DEBUG     Add '10.2.0.0/24' to ignore list ('10.2.0.1/24')
2020-10-29 18:53:45,056 fail2ban.filter         [1]: DEBUG     Add '10.0.0.0/24' to ignore list ('10.0.0.1/24')
2020-10-29 18:53:45,057 fail2ban.filter         [1]: INFO      encoding: UTF-8
2020-10-29 18:53:45,058 fail2ban.filter         [1]: INFO    Added logfile: '/var/log/auth.log' (pos = 303192, hash = ccd6530adb8309f16718f1b271d3c1c104b3da5e)
2020-10-29 18:53:45,059 fail2ban.filterpyinotif [1]: DEBUG   New <Watch wd=1 path=/var/log mask=1073745280 proc_fun=None auto_add=False exclude_filter=<function WatchManager.<lambda> at 0xb60265c8> dir=True >
2020-10-29 18:53:45,060 fail2ban.filterpyinotif [1]: DEBUG   Added monitor for the parent directory /var/log
2020-10-29 18:53:45,061 fail2ban.filterpyinotif [1]: DEBUG   New <Watch wd=2 path=/var/log/auth.log mask=2 proc_fun=None auto_add=False exclude_filter=<function WatchManager.<lambda> at 0xb60265c8> dir=False >
2020-10-29 18:53:45,062 fail2ban.filterpyinotif [1]: DEBUG   Added file watcher for /var/log/auth.log
2020-10-29 18:53:45,062 fail2ban.filter         [1]: DEBUG   Seek to find time 1603990425.062525 (2020-10-29 17:53:45), file size 303516
2020-10-29 18:53:45,076 fail2ban.filter         [1]: DEBUG   Position 303192 from 303516, found time 1603994017.0 (2020-10-29 18:53:37) within 1 seeks
2020-10-29 18:53:45,077 fail2ban.CommandAction  [1]: DEBUG   Created <class 'fail2ban.server.action.CommandAction'>
2020-10-29 18:53:45,077 fail2ban.CommandAction  [1]: DEBUG     Set actionstart = '<iptables> -N f2b-sshd\n<iptables> -A f2b-sshd -j RETURN\n<iptables> -I INPUT -p tcp -j f2b-sshd'
2020-10-29 18:53:45,078 fail2ban.CommandAction  [1]: DEBUG     Set actionstop = '<iptables> -D INPUT -p tcp -j f2b-sshd\n<iptables> -F f2b-sshd\n<iptables> -X f2b-sshd'
2020-10-29 18:53:45,078 fail2ban.CommandAction  [1]: DEBUG     Set actionflush = '<iptables> -F f2b-sshd'
2020-10-29 18:53:45,078 fail2ban.CommandAction  [1]: DEBUG     Set actioncheck = "<iptables> -n -L INPUT | grep -q 'f2b-sshd[ \\t]'"
2020-10-29 18:53:45,078 fail2ban.CommandAction  [1]: DEBUG     Set actionban = '<iptables> -I f2b-sshd 1 -s <ip> -j <blocktype>'
2020-10-29 18:53:45,079 fail2ban.CommandAction  [1]: DEBUG     Set actionunban = '<iptables> -D f2b-sshd -s <ip> -j <blocktype>'
2020-10-29 18:53:45,079 fail2ban.CommandAction  [1]: DEBUG     Set name = 'sshd'
2020-10-29 18:53:45,079 fail2ban.CommandAction  [1]: DEBUG     Set port = '55821'
2020-10-29 18:53:45,079 fail2ban.CommandAction  [1]: DEBUG     Set protocol = 'tcp'
2020-10-29 18:53:45,080 fail2ban.CommandAction  [1]: DEBUG     Set chain = 'INPUT'
2020-10-29 18:53:45,080 fail2ban.CommandAction  [1]: DEBUG     Set actname = 'iptables-allports'
2020-10-29 18:53:45,080 fail2ban.CommandAction  [1]: DEBUG     Set blocktype = 'REJECT --reject-with icmp-port-unreachable'
2020-10-29 18:53:45,081 fail2ban.CommandAction  [1]: DEBUG     Set returntype = 'RETURN'
2020-10-29 18:53:45,081 fail2ban.CommandAction  [1]: DEBUG     Set lockingopt = '-w'
2020-10-29 18:53:45,082 fail2ban.CommandAction  [1]: DEBUG     Set iptables = 'iptables <lockingopt>'
2020-10-29 18:53:45,082 fail2ban.CommandAction  [1]: DEBUG     Set blocktype?family=inet6 = 'REJECT --reject-with icmp6-port-unreachable'
2020-10-29 18:53:45,082 fail2ban.CommandAction  [1]: DEBUG     Set iptables?family=inet6 = 'ip6tables <lockingopt>'
2020-10-29 18:53:45,085 fail2ban.CommandAction  [1]: DEBUG   Created <class 'fail2ban.server.action.CommandAction'>
2020-10-29 18:53:45,085 fail2ban.CommandAction  [1]: DEBUG     Set actionstart = 'printf %b "Subject: [Fail2Ban] sshd: started on Schklom\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban Schklom <root@Schklom>\nTo: myemail@gmail.com\\n\nHi,\\n\nThe jail sshd has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f "root@Schklom" "myemail@gmail.com"'
2020-10-29 18:53:45,085 fail2ban.CommandAction  [1]: DEBUG     Set actionstop = 'printf %b "Subject: [Fail2Ban] sshd: stopped on Schklom\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban Schklom <root@Schklom>\nTo: myemail@gmail.com\\n\nHi,\\n\nThe jail sshd has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f "root@Schklom" "myemail@gmail.com"'
2020-10-29 18:53:45,085 fail2ban.CommandAction  [1]: DEBUG     Set actioncheck = ''
2020-10-29 18:53:45,086 fail2ban.CommandAction  [1]: DEBUG     Set actionban = '( printf %b "Subject: [Fail2Ban] sshd: banned <ip> from Schklom\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban Schklom <root@Schklom>\nTo: myemail@gmail.com\\n\nHi,\\n\nThe IP <ip> has just been banned by Fail2Ban after\n<failures> attempts against sshd.\\n\\n\nHere is more information about <ip> :\\n"\nwhois <ip> || echo "missing whois program";\nprintf %b "\\nLines containing failures of <ip> (max 1000)\\n";\nlogpath="/var/log/auth.log"; grep -m 1000 -wF "<ip>" $logpath | tail -n 1000;\nprintf %b "\\n\nRegards,\\n\nFail2Ban" ) | /usr/sbin/sendmail -f "root@Schklom" "myemail@gmail.com"'
2020-10-29 18:53:45,086 fail2ban.CommandAction  [1]: DEBUG     Set actionunban = ''
2020-10-29 18:53:45,086 fail2ban.CommandAction  [1]: DEBUG     Set norestored = True
2020-10-29 18:53:45,087 fail2ban.CommandAction  [1]: DEBUG     Set name = 'sshd'
2020-10-29 18:53:45,087 fail2ban.CommandAction  [1]: DEBUG     Set sender = 'root@<fq-hostname>'
2020-10-29 18:53:45,087 fail2ban.CommandAction  [1]: DEBUG     Set sendername = 'Fail2Ban Schklom'
2020-10-29 18:53:45,087 fail2ban.CommandAction  [1]: DEBUG     Set fq-hostname = 'Schklom'
2020-10-29 18:53:45,088 fail2ban.CommandAction  [1]: DEBUG     Set dest = 'myemail@gmail.com'
2020-10-29 18:53:45,088 fail2ban.CommandAction  [1]: DEBUG     Set logpath = '/var/log/auth.log'
2020-10-29 18:53:45,088 fail2ban.CommandAction  [1]: DEBUG     Set chain = 'INPUT'
2020-10-29 18:53:45,088 fail2ban.CommandAction  [1]: DEBUG     Set actname = 'sendmail-whois-lines'
2020-10-29 18:53:45,089 fail2ban.CommandAction  [1]: DEBUG     Set mailcmd = '/usr/sbin/sendmail -f "<sender>" "<dest>"'
2020-10-29 18:53:45,089 fail2ban.CommandAction  [1]: DEBUG     Set greplimit = 'tail -n <grepmax>'
2020-10-29 18:53:45,089 fail2ban.CommandAction  [1]: DEBUG     Set grepmax = '1000'
2020-10-29 18:53:45,089 fail2ban.CommandAction  [1]: DEBUG     Set grepopts = '-m <grepmax>'
2020-10-29 18:53:45,090 fail2ban.jail           [1]: DEBUG   Starting jail 'sshd'
2020-10-29 18:53:45,099 fail2ban.filterpyinotif [1]: DEBUG   [sshd] filter started (pyinotifier)
2020-10-29 18:53:45,135 fail2ban.jail           [1]: INFO    Jail 'sshd' started
2020-10-29 18:53:45,148 fail2ban.transmitter    [1]: DEBUG   Status: ready
Server ready
2020-10-29 18:53:46,655 fail2ban.utils          [1]: DEBUG   b6034160 -- returned successfully 0
2020-10-29 18:53:52,278 fail2ban.filterpyinotif [1]: DEBUG   Event queue size: 16
2020-10-29 18:53:52,279 fail2ban.filterpyinotif [1]: DEBUG   <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-10-29 18:53:52,284 fail2ban.filterpyinotif [1]: DEBUG   Event queue size: 16
2020-10-29 18:53:52,285 fail2ban.filterpyinotif [1]: DEBUG   <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-10-29 18:53:52,418 fail2ban.filterpyinotif [1]: DEBUG   Event queue size: 16
2020-10-29 18:53:52,418 fail2ban.filterpyinotif [1]: DEBUG   <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-10-29 19:01:01,319 fail2ban.filterpyinotif [1]: DEBUG   Event queue size: 16
2020-10-29 19:01:01,320 fail2ban.filterpyinotif [1]: DEBUG   <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-10-29 19:01:01,366 fail2ban.ipdns          [1]: WARNING Unable to find a corresponding IP address for authenticating: [Errno -2] Name does not resolve
2020-10-29 19:01:02,405 fail2ban.filterpyinotif [1]: DEBUG   Event queue size: 16
2020-10-29 19:01:02,405 fail2ban.filterpyinotif [1]: DEBUG   <_RawEvent cookie=0 mask=0x2 name='' wd=2 >

PS: I am using this container instead of Fail2Ban on host, because while I don't have the problem I just described, I can't manage to setup email notifications.

If someone could help, I would be very grateful :)

Many thanks

The text was updated successfully, but these errors were encountered:

crazy-max · 2020-11-22T11:02:54Z

@schklom fail2ban/fail2ban#2870

crazy-max closed this as completed Nov 22, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Unable to find a corresponding IP address for authenticating: Name does not resolve #77

Unable to find a corresponding IP address for authenticating: Name does not resolve #77

schklom commented Oct 29, 2020

crazy-max commented Nov 22, 2020

Unable to find a corresponding IP address for authenticating: Name does not resolve #77

Unable to find a corresponding IP address for authenticating: Name does not resolve #77

Comments

schklom commented Oct 29, 2020

Behaviour

Steps to reproduce this issue

Expected behaviour

Actual behaviour

Configuration

Docker info

crazy-max commented Nov 22, 2020