Thanks guys,
something more to learn (spoofing) ..... ;-)
Unfortunately 0.0.0.0 doesn't show up in the log file.
I've did a grep -rE "0{1}\.0{1}\.0{1}.0{1}" through all my rotated
auth-log-files
The fail2ban mail message (see below) doesn't show any lines.
Mmmm,mmmm,mmmm, strange ... how does fail2ban ban something which
doesn't leave a trace in the log file ....
well I have a few more log-file ;-) will have to grep deeper.
On 01.11.2018 00:52, r fancher wrote:
Sorry, I did not mean to say Denis, this was meant for kaffeesurrogat.
My apologizes.
------------------------------------------------------------------------
*From:* r fancher via Fail2ban-users
<[email protected]>
*To:* Denis Rasulev <[email protected]>; "[email protected]"
<[email protected]>
*Cc:* "[email protected]"
<[email protected]>
*Sent:* Wednesday, October 31, 2018 4:42 PM
*Subject:* Re: [Fail2ban-users] Strange IP is banned by fail2ban
Denis,
This is due to IP spoofing, you might want to add this to your
firewall, I use iptables
iptables -N spoofing
iptables -I spoofing -j LOG --log-prefix "Spoofed source IP"
iptables -I spoofing -j DROP
iptables -A INPUT -s 255.0.0.0/8 -j spoofing
iptables -A INPUT -s 0.0.0.8/8 -j spoofing
------------------------------------------------------------------------
*From:* Denis Rasulev <[email protected]>
*To:* [email protected]
*Cc:* [email protected]
*Sent:* Wednesday, October 31, 2018 10:01 AM
*Subject:* Re: [Fail2ban-users] Strange IP is banned by fail2ban
Dear kaffeesurrogat,
You are not in a danger to block all the traffic.
0.0.0.0 is a non-routable meta-address used to designate an invalid,
unknown or non applicable target (a no particular address placeholder).
I would advise to look at /var/log/auth.log entries containing this
address and try to understand what causes them.
Regards,
Denis Rasulev
> On 31 Oct 2018, at 10:52, kaffeesurrogat <[email protected]
<mailto:[email protected]>> wrote:
>
> Dear all,
>
> i'm new to the list. Unfortunately I'am not an expert at all, but
I'm trying my best to understand fail2ban and the world of IP-adressing.
>
> I've got this email-message from fail2ban:
>
> ############################################################
>
> Hi,
>
> The IP 0.0.0.0 has just been banned by Fail2Ban after
> 1 attempts against sshd.
>
>
> Here is more information about 0.0.0.0 :
>
> Für diese Art von Objekten ist kein Whois-Server bekannt.
> missing whois program
>
>
> Lines containing IP:0.0.0.0 in /var/log/auth.log
>
>
> Regards,
>
> Fail2Ban
>
>
> ############################################################
>
>
>
> This is confusing to me, because the IP address does not make any
sence to me.
>
> How can anybody have an IP Address of 0.0.0.0 ? Is this any kind of
special IP - Address ? Why does it show up in my sshd jail ? Is it
some kind of loopback-device address ? Some kind of broadcast ? Am I
in danger of blocking all the traffic ?
>
> Thanks so much for clarification,
>
> kaffeesurroagt
>
>
>
>
> _______________________________________________
> Fail2ban-users mailing list
> [email protected]
<mailto:[email protected]>
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
