How to Fix “fail2ban.filter: WARNING Determined IP using DNS Lookup” Flooding Logs After SSH Port Change


2 views

After modifying my SSH port configuration, I noticed my /var/log/fail2ban.log became flooded with entries like:

2023-11-15 14:22:31,542 fail2ban.filter [12345]: WARNING Determined IP using DNS Lookup: 203.0.113.45
2023-11-15 14:22:31,678 fail2ban.filter [12345]: WARNING Determined IP using DNS Lookup: 198.51.100.22

The root cause stems from how Fail2ban processes log entries differently when you change the default SSH port (22). The service performs reverse DNS lookups when it can't immediately match the log entry format against its built-in patterns.

Here's what's happening under the hood:

1. Fail2ban sees non-standard port connection attempts
2. Built-in regex patterns fail to match the modified log format
3. Fallback to DNS resolution occurs
4. Warning messages flood the logs

Create or modify /etc/fail2ban/jail.local:

[sshd]
enabled = true
port = 2222 # Your custom SSH port
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
findtime = 600
bantime = 3600

Then create a custom filter at /etc/fail2ban/filter.d/sshd-custom.conf:

[INCLUDES]
before = sshd.conf

[Definition]
failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$
            ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
            ^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d+)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ $serial \d+$ CA )?\S+ (signature|key))?)?\s*$
            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$
            ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
            ^%(__prefix_line)sReceived disconnect from <HOST>: 3: .*: Auth fail$

For systems with heavy traffic, consider adding these to your jail.local:

[DEFAULT]
ignoreip = 127.0.0.1/8 ::1
ignoreself = true
usedns = no

The critical parameter here is usedns = no which completely disables reverse DNS lookups.

After making changes, test your configuration:

sudo fail2ban-client reload
sudo fail2ban-client status sshd
sudo fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd-custom.conf

Monitor your logs for an hour to confirm warnings have stopped:

tail -f /var/log/fail2ban.log | grep -v "DNS Lookup"

When you see repeated entries like this in your fail2ban.log:

fail2ban.filter : WARNING Determined IP using DNS Lookup: [IP address]

This indicates Fail2Ban is performing reverse DNS lookups on connecting IP addresses. While not inherently problematic, excessive logging can fill your log files unnecessarily.

The issue often surfaces after modifying SSH ports because:

  • Fail2Ban's default configuration expects SSH on port 22
  • When you change ports, some logging behavior becomes more verbose
  • The DNS lookup warning appears more frequently as connections are evaluated

Here are the key configuration changes to implement:

1. Update jail.local

Modify your /etc/fail2ban/jail.local:

[sshd]
enabled = true
port    = your_new_ssh_port
logpath = %(sshd_log)s
findtime = 600
maxretry = 3
bantime = 86400
usedns = no

2. Adjust Filter Settings

Create or modify /etc/fail2ban/filter.d/sshd.local:

[INCLUDES]
before = sshd.conf

[Definition]
failregex = ^%(__prefix_line)s(?:error: )?[aA]uthentication (?:failure|error|failed).* from <HOST>(?: port \d+)?\s*$
            ^%(__prefix_line)s(?:error: )?Failed \S+ for .* from <HOST>(?: port \d+)?(?: ssh\d*)?\s*$
            ^%(__prefix_line)s(?:error: )?ROOT LOGIN REFUSED FROM <HOST>\s*$
            ^%(__prefix_line)s(?:error: )?[iI]nvalid user \S+ from <HOST>(?: port \d+)?\s*$
ignoreregex =
usedns = no

After making these changes:

  1. Restart Fail2Ban: sudo systemctl restart fail2ban
  2. Check status: sudo fail2ban-client status sshd
  3. Monitor logs: sudo tail -f /var/log/fail2ban.log

For better performance with custom SSH ports:

# In jail.local
[sshd-custom]
enabled  = true
port     = your_new_port
logpath  = %(syslog_authpriv)s
backend  = %(syslog_backend)s
usedns   = warn

The usedns setting has three options:

  • yes: Always perform reverse DNS lookups
  • no: Never perform lookups
  • warn: Perform lookup but don't use it for banning (current behavior)