Let me add to this:
fail2ban continues to provide a DoS vector - it is not uncommon for an
IP to reverse resolve to a name which in turn resolve to a _different_
IP, or multiple IPs. This causes fail2ban to block the wrong address.
Example (this is using in.ftpd, but it happens with wu-ftpd, too):
From syslog:
Aug 2 12:28:14 hamburg in.ftpd[16120]: connect from 74.81.64.237
(74.81.64.237)
Aug 2 12:28:41 hamburg ftpd[16120]: repeated login failures from
vps.namecheaphosting.com
From auth.log:
Aug 2 12:28:12 hamburg ftpd[16117]: pam_unix(ftp:auth): authentication
failure; logname= uid=0 euid=0 tty= ruser=
rhost=vps.namecheaphosting.com user=root
Aug 2 12:28:14 hamburg ftpd[16120]: pam_ftp(ftp:auth): conversation
failed
fail2ban sees the vps.namecheaphosting.com, resolves it, and bans some
other address (it resolves to 2 different addresses).
The solution is what was originally proposed - look in syslog, not
auth.log.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
