I recently installed fail2ban which has begun blocking bad ssh attempts.
I also set up an additional filter to permanently ban repeat offenders.
I notice now that there are some entries in my iptables that are there as DNS hostnames instead of raw IP addresses, which is obviously a terrible idea.
I have added use_dns = no
in my /etc/fail2ban/fail2ban.conf, and have added UseDNS no
to /etc/ssh/sshd_config. I've restarted both services, but those iptables entries still are showing up as host names instead of IP addresses.
What else could be causing the dns names? The permanent list of banned ips are being stored as raw IPs, so the translation seems to be happening behind the scenes as they are added by fail2ban at startup.
Are you checking these rules with
iptables --list
?If so, try
iptables --list -n
to inhibit reverse DNS lookups.To clarify, this is nothing to worry about. What you're seeing is merely the iptables client performing reverse DNS lookups for the listed IPs. As you'll likely find, the firewall rules are indeed being created using only the offending IP address.