Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo
It would be nice to support IPv6 in fail2ban. It should not
be that difficult, especially since the ip6tables takes
exactly the same syntax. The only difference would be to
parse the log files a little different to match the IPv6 IP.
Logged In: YES
Nice idea ;-)
No problem with ip6tables since with Fail2Ban >= 0.5.0
firewall rules are defined in the configuration file.
Do you have SSH (or any other service) log files with IPv6
Logged In: YES
Sure. here is an example where I tried to hack myself with a
random username ;)
Jul 12 17:26:45 mail sshd: Server listening on :: port
Jul 12 17:27:40 mail sshd: Accepted keyboard-
interactive/pam for root from 2001:16d8:ff02:0:9176:5b40:a39f:
644f port 1048 ssh2
Jul 12 17:27:40 mail sshd(pam_unix): session opened
for user root by root(uid=0)
Jul 12 17:47:03 mail sshd: Invalid user fdds from 2001:
Jul 12 17:47:04 mail sshd(pam_unix): check pass;
Jul 12 17:47:04 mail sshd(pam_unix): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=2001:
Jul 12 17:47:06 mail sshd: error: PAM: Authentication
failure for illegal user fdds from 2001:16d8:ff02:0:9176:5b40:
Jul 12 17:47:06 mail sshd: Failed keyboard-interactive/
pam for invalid user fdds from 2001:16d8:ff02:0:9176:5b40:
a39f:644f port 1049 ssh2
Remember though that some matches doesn't work.
Specifically "-m state" as ipv6 iptables doesn't have conntrack
I am running courier-mta/IMAP/POP3 and Apache and some
other services on IPv6 too.
Jul 12 17:53:51 mail imapd: Connection, ip=[::ffff:192.168.0.10]
Jul 12 17:53:51 mail imapd: LOGIN, user=admin@tnonline.
net, ip=[::ffff:192.168.0.10], protocol=IMAP
A failed attempt to login:
Jul 12 17:58:23 mail imapd: LOGIN FAILED, method=CRAM-
These are connections from a IPv4 host. Courier listen on IPv6
and so the address you see in the log is a a IPv4 address
converted into IPv6 address space. It may be important to be
able to filter this properly.
Not sure what I can give you with Apache. I do not use
Apache for authentication for my websites. Here are two failed
attemts to access a file.
[Tue Jul 12 17:36:24 2005] [error] [client 184.108.40.206] File
does not exist: /var/www/localhost/htdocs/tnonline.net/sumthin
[Tue Jul 12 18:00:20 2005] [error] [client 2001:16d8:ff02:0:
9176:5b40:a39f:644f] File does not exist: /var/www/localhost/
Thank you very much :-)
Is it possible to give an IPv4 address to ip6tables? I read
a bit the man pages and it does not seems to be possible :-/
In general, do you use iptables and ip6tables in parallel?
I think a good idea would be to replace the <ip> tag by
<ipv4> and add <ipv6>. An example:
<ipv4> = 192.168.0.10
<ipv6> = ::ffff:192.168.0.10
<ipv4> = undefined
<ipv6> = 2001:16d8:ff02:0:9176:5b40:a39f:644f
Is that right that 2001:16d8:ff02:0:9176:5b40:a39f:644f does
not have a corresponding IPv4 address?
No you cannot give ipv4 addresses to ip6tables =/
Perhaps you would need to do a test:
Yes you are right that ipv6 addresses do not have
corresponding ipv4 variants. Only the opposite - which is only
true for applications listening on both IPv6 and IPv4. So if I
instruct my sshd to only listen on 0.0.0.0:22 instead of [::]:22
it will only have pure IPv4 addresses in the log.
Alright but if I give ::ffff:192.168.0.10 to ip6tables, it
should work. No?
The idea is to convert every IPv4 addresses to IPv6, take
IPv6 addresses as they are and use ip6tables with <ipv6>.
If you do not need IPv6 support, just use iptables with
Good or bad idea?
Yes you can give ::ffff:192.168.0.10 to ip6tables, but it will not
work as you would expect. The reason it would not work is
because the source address is really IPv4 192.168.0.10. The
IPv6 transformation is only done in the last step by the
listening socket after the packet has gone through the firewall.
At least this is what I believe. I will try to look it up.
What's the status on this?