I’m running a mix of CentOS 5 and 6 servers reachable by ssh from the Internet. Of course I allow only public key authentication and no root login. In addition I’m running fail2ban to block obnoxious brute force attack sources.
On CentOS 6 this is working pretty well, but on CentOS 5 there’s one class of attacks fail2ban fails to ban. (No pun intended.) This isn’t fail2ban’s fault, but openssh’s. When the source IP
address of a failed attempt fails the reverse mapping check, CentOS 6 (openssh-server-5.3p1-81.el6_3.x86_64) logs:
Mar 3 04:06:34 posthamster sshd: reverse mapping checking getaddrinfo for hn.ly.kd.adsl [126.96.36.199] failed – POSSIBLE BREAK-IN ATTEMPT! from which fail2ban can pick up and block IP address 188.8.131.52 just fine. CentOS 5 (openssh-server-4.3p2-82.el5) OTOH logs:
Mar 3 04:44:48 gimli sshd: reverse mapping checking getaddrinfo for hn.ly.kd.adsl failed – POSSIBLE BREAK-IN ATTEMPT! without the IP address. The name is of no use because sshd just confirmed that it doesn’t really correspond to the attacker’s IP address.
Any ideas how to remedy that situation?