Forged PTR record breaking fail2ban logic

[akhamar]

Environment:

• Fail2Ban version (including any possible distribution suffixes): v0.10.2
• OS, including release name/version: debian 10.3
• Fail2Ban installed via OS/distribution mechanisms
• You have not applied any additional foreign patches to the codebase
• Some customizations were done to the configuration (provide details below is so): Only jail.d/* config files

The issue:

I can't block traffic from an attacker been smart. Fail2ban try to ban him, but sadly fail because his PTR is forged and wrong.

postfix logs:

Mar 23 01:41:13 xxxxxx postfix/smtpd[20835]: warning: hostname ip-38-42.ZervDNS does not resolve to address 92.118.38.42: Name or service not known
Mar 23 01:41:13 xxxxxx postfix/smtpd[20835]: connect from unknown[92.118.38.42]
Mar 23 01:41:30 xxxxxx postfix/smtpd[20835]: Anonymous TLS connection established from unknown[92.118.38.42]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Mar 23 01:42:15 xxxxxx postfix/smtpd[20835]: warning: unknown[92.118.38.42]: SASL LOGIN authentication failed: authentication failure

fail2ban logs:

2020-03-23 01:42:15,276 fail2ban.filter         [2037]: INFO    [postfix-sasl] Found 92.118.38.42 - 2020-03-23 01:42:15
2020-03-23 01:42:15,397 fail2ban.actions        [2037]: WARNING [postfix-sasl] 92.118.38.42 already banned

iptables:

Chain f2b-recidive (1 references)
target     prot opt source               destination         
REJECT     all  --  ip-38-42.ZervDNS     anywhere             reject-with icmp-port-unreachable

Fail2ban always try to resolve his PTR which for him 92.118.38.42 is ip-38-42.ZervDNS
This DNS is totally forged and doesn't exist. It seem fail2ban doesn't verify that this dns at least contain one ip matching the attacker. Fail2ban just proceed to ban the DNS via iptables.
Iptables doesn't block the traffic from the attacker because the DNS ip-38-42.ZervDNS doesn't match the IP 92.118.38.42. Attacker can do the heck he wants.

To sum up : A smartass been a smartass.

Steps to reproduce

Forge yourself a fake PTR record

Expected behavior

IP banned when PTR is not matching at least one IP from attacker.

Observed behavior

PTR been banned but doesn't prevent attacker to keep attacking

Any additional information

Configuration, dump and another helpful excerpts

Any customizations done to /etc/fail2ban/ configuration

only in /jail.d/* to activate jails

[sebres]

This DNS is totally forged and doesn't exist. It seem fail2ban doesn't verify that this dns at least contain one ip matching the attacker.

This is not interesting unless there are messages with real IP fail2ban can find and recognize as failure.
Fail2ban (or rather the filter) will indeed have an issue if the service logging dns entries only (and they could not be resolved properly).

Fail2ban just proceed to ban the DNS via iptables.

Yes and as long as the IP remains only the real identifier it is correct so... banning over DNS would be too ugly and vulnerable.

Iptables doesn't block the traffic from the attacker because the DNS ip-38-42.ZervDNS doesn't match the IP 92.118.38.42.

For iptables it does no matter whether some DNS does match or doesn't match.
The IP that did a login attempt was 92.118.38.42, the DNS is secondary here.
Mar 23 01:42:15 xxxxxx postfix/smtpd[20835]: warning: unknown[92.118.38.42]: SASL LOGIN authentication failed: authentication failure

Attacker can do the heck he wants.

No. If the IP is banned, the intruder cannot do that from this IP anymore.
I guess something is wrong with your firewall or net-filter (anyway already banned points to this).
Check your iptables rules - I assume you have some white-listening rules that allow the connection before fail2ban chains are able to block it.
If you use firewalld, there is a known issue (of firewalld not fail2ban) - see #2503 (comment) (or https://github.com/t-woerner/firewalld/issues/44).

Anyway forget DNS - it is not the issue at all.

[akhamar]

I'll have a better look but it seem you are right.
Thanks.