Iptables – Fail2ban jailed but IP still accessing server

I've got a server running a bunch of WordPress sites, and each of these sites refuse logins from IP's after a number of failed logins. The steps are as follows:

1. 3 failed logins from an IP = WP refuses logins from this IP for 10mins (level 1 lockout)
2. On the 2nd level 1 lockout, this moves to level 2 upon which the IP is refused for 1hour

Additionally, the WP security plugin writes to a file on the server(Level 3?). This means we can pool data across sites hosted on that server. Now using Fail2Ban we look for 3 level 3 lockouts within 1 month and then ban at server level for 3 months.

However, the WP plugins are still showing repeat new lockouts for these same IP addresses. This means that the perpetrator is still gaining access to sites hosted on this server.

If I look in the server logs I can see that the lockouts are being written to the correct file. I can also see that Fail2Ban and the relevant jail/actions are detecting the repeat IPs/offender(s) and banning them.

Now, if I run the following command:

iptables -L

I get output similar to this(edited for brevity):

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
f2b-WordPress  tcp  --  anywhere             anywhere            multiport dports http,https
f2b-Http-Get-Dos  tcp  --  anywhere             anywhere             multiport dports http,https
.....

and further down:

Chain f2b-WordPress (1 references)
target     prot opt source               destination         
REJECT     all  --  dedic980.hidehost.net  anywhere             reject-with icmp-port-unreachable
REJECT     all  --  dedic693.hidehost.net  anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere

So, I can see that my jail is being triggered, and that the hostname related to the IP's used are being rejected, but the user is still gaining access to the server on the same IP's that have been used repeatedly. So, clearly they are still getting access to the sites on the server and are trying to brute force their way into the site admins.

This needs to be stopped, asap.

So, my assumption is that iptables is blocking the hostname and not the IP. Since, this hostname appears to be from a service designed to hide real hostnames I figured this is the cause of the problem ie: iptables is blocking the wrong hostname. But perhaps I'm wrong here… I'd welcome a better solution if that's the case.

On that basis I've edited /etc/fail2ban/jail.conf as follows (i know I should create a local version):

# "usedns" specifies if jails should trust hostnames in logs,
#   warn when DNS lookups are performed, or ignore all hostnames in logs
#
# yes:   if a hostname is encountered, a DNS lookup will be performed.
# warn:  if a hostname is encountered, a DNS lookup will be performed,
#        but it will be logged as a warning.
# no:    if a hostname is encountered, will not be used for banning,
#        but it will be logged as info.
# usedns = warn
usedns = no

Then, I saved everything and restarted the fail2ban service. The logs files suggest that everything is running fine and that the wordpress jail did it's job and banned the 2 IP's being used by this particular person.

Another look at iptables -L however shows that the hostname has been blocked and not the IP's…..

So, what do I do now?

Update

I've just added the two IP's manually to iptables via Webmin > Linux Firewall (which I think uses firewalld) and run iptables -L which shows the hostnames rather than the IP's I entered. So, is this iptables converting the IP's to hostnames rather than fail2ban. If so, why is it that the other 20 IP's i've added rules for manually all show as their IP and NOT a hostname?