Resolved fail2ban.filter [1946]: WARNING Unable to find a corresponding IP address for...

[CoyoteKG]

Hello, I did not checked fail2ban on this server for a long time.
Now when I logged in, I noticed that there is no even one IP banned, and that was strange, so I checked log file.
And log file contain a hundreds of this...

Could you please direct me, what could be a problem, and how to troubleshoot it?

2018-02-22 11:43:46,313 fail2ban.filter [1946]: WARNING Unable to find a corresponding IP address for 2a01:4f8:221:2114::2: [Errno -9] Address family for hostname not supported
2018-02-22 11:43:46,314 fail2ban.filter [1946]: INFO [plesk-postfix] Found 91.200.12.82
2018-02-22 11:46:48,582 fail2ban.filter [1946]: WARNING Unable to find a corresponding IP address for 2a01:4f8:221:2114::2: [Errno -9] Address family for hostname not supported
2018-02-22 11:46:48,582 fail2ban.filter [1946]: INFO [plesk-postfix] Found 91.200.12.13
2018-02-22 11:49:43,512 fail2ban.filter [1946]: WARNING Unable to find a corresponding IP address for 2a01:4f8:221:2114::2: [Errno -9] Address family for hostname not supported
2018-02-22 11:49:43,512 fail2ban.filter [1946]: INFO [plesk-postfix] Found 91.200.12.82
2018-02-22 11:49:57,671 fail2ban.filter [1946]: WARNING Unable to find a corresponding IP address for 2a01:4f8:221:2114::2: [Errno -9] Address family for hostname not supported
2018-02-22 11:49:57,672 fail2ban.filter [1946]: INFO [plesk-postfix] Found 185.222.209.14
2018-02-22 11:50:21,681 fail2ban.filter [1946]: WARNING Unable to find a corresponding IP address for 2a01:4f8:221:2114::2: [Errno -9] Address family for hostname not supported
2018-02-22 11:50:21,681 fail2ban.filter [1946]: INFO [plesk-postfix] Found 91.200.12.13

 

[Brujo]

Consider to tell us which System are you using and which fail2ban Version.
IP V6 Support in fail2ban is only available in new Versions - see also fail2ban now supports IPv6 - please upgrade

If you belive there should something be banned you can check your config and filter against logfiles on the cli like:
# fail2ban-regex /path/to/logfile /etc/fail2ban/filter.d/xyz.conf

Kind regards
Brujo

 

[CoyoteKG]

Hi, thx for quick response.

Fail2ban 0.9.6-centos7.17031414

System is up to date. Plesk Onyx

 

[Brujo]

Ok so the message you posted is "normal" see also : Fail2Ban warning: Address family for hostname not supported

and should be not the reason that none IP is blocked as you wrote and I asume you have IP V4 & 6 on your system, therefore i suggest, restart fail2ban from Panel, check the logfile if there are Errors during restart.

 

[CoyoteKG]

I restarted, and there is no any error. Only twice from the same like theme subject is.

I supposed like noob that this is in relation with no banned IP addresses from two reasons.
1. it is strange, because every second log is this error.
2. there is no any banned IP address, but in attachment you can find file where these IP addresses should be banned.

My postfix regex is default plesks,

[plesk-postfix]
enabled = true
filter = postfix-sasl
action = iptables-multiport[name="plesk-postfix", port="smtp,smtps,submission"]
logpath = /var/log/maillog
maxretry = 5

And yes, this IPv6 is from my server.

From some reason, I cant upload txt, not even zip file here on forum, with error "wrong extension".
So if you are interested you can download id from here
fail2ban1.txt
and you will see that these IP addresses should be banned

 

[Brujo]

in General and based on your logfile it works as desinged. there is a Ban entry.

Well and yeah all this Found entrys are recognized by fail2ban but not banned because they do not trigger your Settings. All this 91.200.12.x match the filter but perhaps not the "maxretry or the "Time interval for detection of subsequent attacks" as well. In your case a lot of different IP´s are used within a longer time as "Default" is set by fail2ban.

If you like to catch them, you have to check & adjust both Settings or block the IP range via the plesk Firewall on port 25 if you are sure it is an attacker.

For example the IP 91.200.12.82 hits you every 6 minutes :-(
You can try to add to your plesk-postfix jail this entry:
findtime =1800

this should catch this IP but take care and check this in the logfiles

 

[CoyoteKG]

hmm, so


That means if 92.200.12.x dont miss more then 3x in 3 minutes, it will not be banned? And have sense now. This is some smart bot . Every few minutes try once.
OK, I will raise up thiss value to 30 minutes.

Thank you Brujo.

Also, I checked another server, and there is also this warning from subject. Is it possible somehow to switch it off? I'm not using ipv6 on server.

 

[Brujo]

just for completion the settings you can set individualy per jail in the jail.local :
maxretry =
bantime =
findtime =

to get this "smart bots" attacks catched by fail2ban, and means you have to check on a regular base your config & settings

 

[King555]

I have exactly the same problem. I checked the log after a long time of not checking it and it contains a really large amount of lines like this. Of course I read the article in the Plesk help center, but there is one strange thing: All of the IPs are IPs of my server! How can this be explained? Does fail2ban try to ban my server (which does not work due to IPv6)?

EDIT: All of my 7 IPs are listed in the logs every few seconds!

EDIT #2: I found the solution, at least for stopping the logfile spam.
I just had to remove all of my IPv6 server IPs from the whitelist.

 

[King555]

Would a bug report make sense? I mean, the IPv6 IPs should not be added to the fail2ban whitelist by Plesk.

 

[CoyoteKG]

I have again this issue, not checked for a while.
I have some attacks from russian IP. 30000 tries of blocking sql injection by wordfence, and everything passed by modsecurity.
I removed from whitelist that server's ipv6 address, and got warning by Plesk that some services can be blocked.

I checked log, and I have enormous number of these lines.
I needed to block this IP manually with firewall.

2018-08-07 11:31:17,350 fail2ban.filter [1494]: WARNING Unable to find a corresponding IP address for 2a01:4f8:10a:1c1f::2: [Errno -9] Address family for hostname not supported
2018-08-07 11:31:17,350 fail2ban.filter [1494]: INFO [plesk-modsecurity] Found 213.159.213.238
2018-08-07 11:31:17,454 fail2ban.filter [1494]: WARNING Unable to find a corresponding IP address for 2a01:4f8:10a:1c1f::2: [Errno -9] Address family for hostname not supported
2018-08-07 11:31:17,455 fail2ban.filter [1494]: INFO [plesk-modsecurity] Found 213.159.213.238
2018-08-07 11:31:17,455 fail2ban.filter [1494]: WARNING Unable to find a corresponding IP address for 2a01:4f8:10a:1c1f::2: [Errno -9] Address family for hostname not supported
2018-08-07 11:31:17,456 fail2ban.filter [1494]: INFO [plesk-modsecurity] Found 213.159.213.238
2018-08-07 11:31:17,567 fail2ban.filter [1494]: WARNING Unable to find a corresponding IP address for 2a01:4f8:10a:1c1f::2: [Errno -9] Address family for hostname not supported
2018-08-07 11:31:17,567 fail2ban.filter [1494]: INFO [plesk-modsecurity] Found 213.159.213.238
2018-08-07 11:31:17,568 fail2ban.filter [1494]: WARNING Unable to find a corresponding IP address for 2a01:4f8:10a:1c1f::2: [Errno -9] Address family for hostname not supported
2018-08-07 11:31:17,568 fail2ban.filter [1494]: INFO [plesk-modsecurity] Found 213.159.213.238

 

[King555]

What exactly is your question now? How to get rid of those lines in your log file? If yes, isn't that your own server's IP? I mean the IPv6 IP 2a01:4f8:10a:1c1f::2:.

 

[SteveITS]

@CoyoteKG , in Tools & Settings / IP Address Banning / Jails, ensure you have turned on the desired jails. I believe they are off by default and fail2ban won't block anything it finds until some are turned on.

Plesk has a KB article on the IPv6 error: Fail2Ban warning: Address family for hostname not supported . IPv6 isn't supported in the version of fail2ban in 17.8 but will be in 17.9.

 

[learning_curve]

Reference the informative article mentioned above: Fail2Ban warning: Address family for hostname not supported which, confirms the inability to support IPv6 in the current Fail2Ban version provided within Plesk, we've added a comment and some questions to this article, but our additions have remained "pending approval" for nearly five days now. Is this normal? @Brujo @IgorG

 

[IgorG]

but our additions have remained "pending approval" for nearly five days now. Is this normal?

Sorry, it is because all the comments are waiting for approval from the publisher when we are ready to answer to the customer, support engineer approves the comment and answers on it. Currently, we have a backlog there, will try to sort it out in 1-2 days.

 

[learning_curve]

Thanks @IgorG your involvement has solved the delay now. It's been approved and replied to by Plesk.

The IMPORTANT part for all Plesk users is this:

....as soon as it will be tested and finished in scope of Plesk Onyx 17.9, it might be backported to older versions of Plesk as well. It will depend on the actual demand...

This means.... that if you have an existing Plesk release, will not be an early adopter of 17.9, but, do need IPv6 Fail2Ban on your current Plesk setup, then make a NOISE and let your requests be seen

Either on this forum or on the article itself, which is HERE