It would be nice to support IPv6 in fail2ban. It should not
be that difficult, especially since the ip6tables takes
exactly the same syntax. The only difference would be to
parse the log files a little different to match the IPv6 IP.
Sure. here is an example where I tried to hack myself with a
random username ;)
Jul 12 17:26:45 mail sshd[19196]: Server listening on :: port
22.
Jul 12 17:27:40 mail sshd[19219]: Accepted keyboard-
interactive/pam for root from 2001:16d8:ff02:0:9176:5b40:a39f:
644f port 1048 ssh2
Jul 12 17:27:40 mail sshd(pam_unix)[19222]: session opened
for user root by root(uid=0)
Jul 12 17:47:03 mail sshd[20192]: Invalid user fdds from 2001:
16d8:ff02:0:9176:5b40:a39f:644f
Jul 12 17:47:04 mail sshd(pam_unix)[20194]: check pass;
user unknown
Jul 12 17:47:04 mail sshd(pam_unix)[20194]: authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=2001:
16d8:ff02:0:9176:5b40:a39f:644f
Jul 12 17:47:06 mail sshd[20192]: error: PAM: Authentication
failure for illegal user fdds from 2001:16d8:ff02:0:9176:5b40:
a39f:644f
Jul 12 17:47:06 mail sshd[20192]: Failed keyboard-interactive/
pam for invalid user fdds from 2001:16d8:ff02:0:9176:5b40:
a39f:644f port 1049 ssh2
Remember though that some matches doesn't work.
Specifically "-m state" as ipv6 iptables doesn't have conntrack
yet.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I am running courier-mta/IMAP/POP3 and Apache and some
other services on IPv6 too.
courier log:
Jul 12 17:53:51 mail imapd: Connection, ip=[::ffff:192.168.0.10]
Jul 12 17:53:51 mail imapd: LOGIN, user=admin@tnonline.
net, ip=[::ffff:192.168.0.10], protocol=IMAP
A failed attempt to login:
Jul 12 17:58:23 mail imapd: LOGIN FAILED, method=CRAM-
MD5, ip=[::ffff:192.168.0.10]
These are connections from a IPv4 host. Courier listen on IPv6
and so the address you see in the log is a a IPv4 address
converted into IPv6 address space. It may be important to be
able to filter this properly.
Not sure what I can give you with Apache. I do not use
Apache for authentication for my websites. Here are two failed
attemts to access a file.
[Tue Jul 12 17:36:24 2005] [error] [client 82.182.126.23] File
does not exist: /var/www/localhost/htdocs/tnonline.net/sumthin
[Tue Jul 12 18:00:20 2005] [error] [client 2001:16d8:ff02:0:
9176:5b40:a39f:644f] File does not exist: /var/www/localhost/
htdocs/tnonline.net/dfsd
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
if (ipv6==true){
ip6tables ....
else
iptables ....
}
Yes you are right that ipv6 addresses do not have
corresponding ipv4 variants. Only the opposite - which is only
true for applications listening on both IPv6 and IPv4. So if I
instruct my sshd to only listen on 0.0.0.0:22 instead of [::]:22
it will only have pure IPv4 addresses in the log.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Yes you can give ::ffff:192.168.0.10 to ip6tables, but it will not
work as you would expect. The reason it would not work is
because the source address is really IPv4 192.168.0.10. The
IPv6 transformation is only done in the last step by the
listening socket after the packet has gone through the firewall.
At least this is what I believe. I will try to look it up.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Logged In: YES
user_id=933467
Nice idea ;-)
No problem with ip6tables since with Fail2Ban >= 0.5.0
firewall rules are defined in the configuration file.
Do you have SSH (or any other service) log files with IPv6
addresses ?
Thank you
Logged In: YES
user_id=820001
Sure. here is an example where I tried to hack myself with a
random username ;)
Jul 12 17:26:45 mail sshd[19196]: Server listening on :: port
22.
Jul 12 17:27:40 mail sshd[19219]: Accepted keyboard-
interactive/pam for root from 2001:16d8:ff02:0:9176:5b40:a39f:
644f port 1048 ssh2
Jul 12 17:27:40 mail sshd(pam_unix)[19222]: session opened
for user root by root(uid=0)
Jul 12 17:47:03 mail sshd[20192]: Invalid user fdds from 2001:
16d8:ff02:0:9176:5b40:a39f:644f
Jul 12 17:47:04 mail sshd(pam_unix)[20194]: check pass;
user unknown
Jul 12 17:47:04 mail sshd(pam_unix)[20194]: authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=2001:
16d8:ff02:0:9176:5b40:a39f:644f
Jul 12 17:47:06 mail sshd[20192]: error: PAM: Authentication
failure for illegal user fdds from 2001:16d8:ff02:0:9176:5b40:
a39f:644f
Jul 12 17:47:06 mail sshd[20192]: Failed keyboard-interactive/
pam for invalid user fdds from 2001:16d8:ff02:0:9176:5b40:
a39f:644f port 1049 ssh2
Remember though that some matches doesn't work.
Specifically "-m state" as ipv6 iptables doesn't have conntrack
yet.
Logged In: YES
user_id=820001
I am running courier-mta/IMAP/POP3 and Apache and some
other services on IPv6 too.
courier log:
Jul 12 17:53:51 mail imapd: Connection, ip=[::ffff:192.168.0.10]
Jul 12 17:53:51 mail imapd: LOGIN, user=admin@tnonline.
net, ip=[::ffff:192.168.0.10], protocol=IMAP
A failed attempt to login:
Jul 12 17:58:23 mail imapd: LOGIN FAILED, method=CRAM-
MD5, ip=[::ffff:192.168.0.10]
These are connections from a IPv4 host. Courier listen on IPv6
and so the address you see in the log is a a IPv4 address
converted into IPv6 address space. It may be important to be
able to filter this properly.
Not sure what I can give you with Apache. I do not use
Apache for authentication for my websites. Here are two failed
attemts to access a file.
[Tue Jul 12 17:36:24 2005] [error] [client 82.182.126.23] File
does not exist: /var/www/localhost/htdocs/tnonline.net/sumthin
[Tue Jul 12 18:00:20 2005] [error] [client 2001:16d8:ff02:0:
9176:5b40:a39f:644f] File does not exist: /var/www/localhost/
htdocs/tnonline.net/dfsd
Logged In: YES
user_id=933467
Thank you very much :-)
Is it possible to give an IPv4 address to ip6tables? I read
a bit the man pages and it does not seems to be possible :-/
In general, do you use iptables and ip6tables in parallel?
I think a good idea would be to replace the <ip> tag by
<ipv4> and add <ipv6>. An example:
<ipv4> = 192.168.0.10
<ipv6> = ::ffff:192.168.0.10
or
<ipv4> = undefined
<ipv6> = 2001:16d8:ff02:0:9176:5b40:a39f:644f
Is that right that 2001:16d8:ff02:0:9176:5b40:a39f:644f does
not have a corresponding IPv4 address?
Thank you
Logged In: YES
user_id=820001
No you cannot give ipv4 addresses to ip6tables =/
Perhaps you would need to do a test:
if (ipv6==true){
ip6tables ....
else
iptables ....
}
Yes you are right that ipv6 addresses do not have
corresponding ipv4 variants. Only the opposite - which is only
true for applications listening on both IPv6 and IPv4. So if I
instruct my sshd to only listen on 0.0.0.0:22 instead of [::]:22
it will only have pure IPv4 addresses in the log.
Logged In: YES
user_id=933467
Alright but if I give ::ffff:192.168.0.10 to ip6tables, it
should work. No?
The idea is to convert every IPv4 addresses to IPv6, take
IPv6 addresses as they are and use ip6tables with <ipv6>.
If you do not need IPv6 support, just use iptables with
<ipv4> tag.
Good or bad idea?
Logged In: YES
user_id=820001
Yes you can give ::ffff:192.168.0.10 to ip6tables, but it will not
work as you would expect. The reason it would not work is
because the source address is really IPv4 192.168.0.10. The
IPv6 transformation is only done in the last step by the
listening socket after the packet has gone through the firewall.
At least this is what I believe. I will try to look it up.
Hi.
What's the status on this?
Cheers,
Chris.