Hi,
Having the IP address in the log would help prevent a potential denial of
service attack on fail2ban users. Consider this auth.log and fail2ban.log
auth.log:Jul 14 02:21:00 servername sshd[9572]: User admin from
search.example.org not allowed because none of user's groups are listed in
AllowGroups
Access was really from attack.example.com [192.0.2.2]
fail2ban.log:2016-07-14 02:21:00,601 fail2ban.filter [30444]: WARNING Determined
IP using DNS Lookup: search.example.org = ['198.51.100.10']
And now search.example.org is blocked.
The concern is that a service like fail2ban only has the hostname to block with,
but that the attacker might also control their reverse DNS entry and be able to
block other hosts.
http://www.fail2ban.org/wiki/index.php/Hostnames_or_IP_Addresses
Thanks,
--
Jacob Anawalt
Gecko Software, Inc.
janaw...@geckosoftware.com
435-752-8026
