You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Fail2Ban version (including any possible distribution suffixes): v0.10.2
OS, including release name/version: debian 10.3
Fail2Ban installed via OS/distribution mechanisms
You have not applied any additional foreign patches to the codebase
Some customizations were done to the configuration (provide details below is so): Only jail.d/* config files
The issue:
I can't block traffic from an attacker been smart. Fail2ban try to ban him, but sadly fail because his PTR is forged and wrong.
postfix logs:
Mar 23 01:41:13 xxxxxx postfix/smtpd[20835]: warning: hostname ip-38-42.ZervDNS does not resolve to address 92.118.38.42: Name or service not known
Mar 23 01:41:13 xxxxxx postfix/smtpd[20835]: connect from unknown[92.118.38.42]
Mar 23 01:41:30 xxxxxx postfix/smtpd[20835]: Anonymous TLS connection established from unknown[92.118.38.42]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Mar 23 01:42:15 xxxxxx postfix/smtpd[20835]: warning: unknown[92.118.38.42]: SASL LOGIN authentication failed: authentication failure
fail2ban logs:
2020-03-23 01:42:15,276 fail2ban.filter [2037]: INFO [postfix-sasl] Found 92.118.38.42 - 2020-03-23 01:42:15
2020-03-23 01:42:15,397 fail2ban.actions [2037]: WARNING [postfix-sasl] 92.118.38.42 already banned
Fail2ban always try to resolve his PTR which for him 92.118.38.42 is ip-38-42.ZervDNS
This DNS is totally forged and doesn't exist. It seem fail2ban doesn't verify that this dns at least contain one ip matching the attacker. Fail2ban just proceed to ban the DNS via iptables.
Iptables doesn't block the traffic from the attacker because the DNS ip-38-42.ZervDNS doesn't match the IP 92.118.38.42. Attacker can do the heck he wants.
To sum up : A smartass been a smartass.
Steps to reproduce
Forge yourself a fake PTR record
Expected behavior
IP banned when PTR is not matching at least one IP from attacker.
Observed behavior
PTR been banned but doesn't prevent attacker to keep attacking
Any additional information
Configuration, dump and another helpful excerpts
Any customizations done to /etc/fail2ban/ configuration
only in /jail.d/* to activate jails
The text was updated successfully, but these errors were encountered:
This DNS is totally forged and doesn't exist. It seem fail2ban doesn't verify that this dns at least contain one ip matching the attacker.
This is not interesting unless there are messages with real IP fail2ban can find and recognize as failure.
Fail2ban (or rather the filter) will indeed have an issue if the service logging dns entries only (and they could not be resolved properly).
Fail2ban just proceed to ban the DNS via iptables.
Yes and as long as the IP remains only the real identifier it is correct so... banning over DNS would be too ugly and vulnerable.
Iptables doesn't block the traffic from the attacker because the DNS ip-38-42.ZervDNS doesn't match the IP 92.118.38.42.
For iptables it does no matter whether some DNS does match or doesn't match.
The IP that did a login attempt was 92.118.38.42, the DNS is secondary here. Mar 23 01:42:15 xxxxxx postfix/smtpd[20835]: warning: unknown[92.118.38.42]: SASL LOGIN authentication failed: authentication failure
Attacker can do the heck he wants.
No. If the IP is banned, the intruder cannot do that from this IP anymore.
I guess something is wrong with your firewall or net-filter (anyway already banned points to this).
Check your iptables rules - I assume you have some white-listening rules that allow the connection before fail2ban chains are able to block it.
If you use firewalld, there is a known issue (of firewalld not fail2ban) - see #2503 (comment) (or https://github.com/t-woerner/firewalld/issues/44).
Environment:
The issue:
I can't block traffic from an attacker been smart. Fail2ban try to ban him, but sadly fail because his PTR is forged and wrong.
postfix logs:
fail2ban logs:
iptables:
Fail2ban always try to resolve his PTR which for him
92.118.38.42
isip-38-42.ZervDNS
This DNS is totally forged and doesn't exist. It seem fail2ban doesn't verify that this dns at least contain one ip matching the attacker. Fail2ban just proceed to ban the DNS via iptables.
Iptables doesn't block the traffic from the attacker because the DNS ip-38-42.ZervDNS doesn't match the IP 92.118.38.42. Attacker can do the heck he wants.
To sum up : A smartass been a smartass.
Steps to reproduce
Forge yourself a fake PTR record
Expected behavior
IP banned when PTR is not matching at least one IP from attacker.
Observed behavior
PTR been banned but doesn't prevent attacker to keep attacking
Any additional information
Configuration, dump and another helpful excerpts
Any customizations done to /etc/fail2ban/ configuration
only in /jail.d/* to activate jails
The text was updated successfully, but these errors were encountered: