Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#7 IPv6 support

open
Cyril Jaquier
None
5
2005-07-12
2005-07-12
Gatak
No

It would be nice to support IPv6 in fail2ban. It should not
be that difficult, especially since the ip6tables takes
exactly the same syntax. The only difference would be to
parse the log files a little different to match the IPv6 IP.

Discussion

  • Cyril Jaquier
    Cyril Jaquier
    2005-07-12

    Logged In: YES
    user_id=933467

    Nice idea ;-)

    No problem with ip6tables since with Fail2Ban >= 0.5.0
    firewall rules are defined in the configuration file.

    Do you have SSH (or any other service) log files with IPv6
    addresses ?

    Thank you

     
  • Gatak
    Gatak
    2005-07-12

    Logged In: YES
    user_id=820001

    Sure. here is an example where I tried to hack myself with a
    random username ;)

    Jul 12 17:26:45 mail sshd[19196]: Server listening on :: port
    22.
    Jul 12 17:27:40 mail sshd[19219]: Accepted keyboard-
    interactive/pam for root from 2001:16d8:ff02:0:9176:5b40:a39f:
    644f port 1048 ssh2
    Jul 12 17:27:40 mail sshd(pam_unix)[19222]: session opened
    for user root by root(uid=0)
    Jul 12 17:47:03 mail sshd[20192]: Invalid user fdds from 2001:
    16d8:ff02:0:9176:5b40:a39f:644f
    Jul 12 17:47:04 mail sshd(pam_unix)[20194]: check pass;
    user unknown
    Jul 12 17:47:04 mail sshd(pam_unix)[20194]: authentication
    failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=2001:
    16d8:ff02:0:9176:5b40:a39f:644f
    Jul 12 17:47:06 mail sshd[20192]: error: PAM: Authentication
    failure for illegal user fdds from 2001:16d8:ff02:0:9176:5b40:
    a39f:644f
    Jul 12 17:47:06 mail sshd[20192]: Failed keyboard-interactive/
    pam for invalid user fdds from 2001:16d8:ff02:0:9176:5b40:
    a39f:644f port 1049 ssh2

    Remember though that some matches doesn't work.
    Specifically "-m state" as ipv6 iptables doesn't have conntrack
    yet.

     
  • Gatak
    Gatak
    2005-07-12

    Logged In: YES
    user_id=820001

    I am running courier-mta/IMAP/POP3 and Apache and some
    other services on IPv6 too.

    courier log:
    Jul 12 17:53:51 mail imapd: Connection, ip=[::ffff:192.168.0.10]
    Jul 12 17:53:51 mail imapd: LOGIN, user=admin@tnonline.
    net, ip=[::ffff:192.168.0.10], protocol=IMAP

    A failed attempt to login:
    Jul 12 17:58:23 mail imapd: LOGIN FAILED, method=CRAM-
    MD5, ip=[::ffff:192.168.0.10]

    These are connections from a IPv4 host. Courier listen on IPv6
    and so the address you see in the log is a a IPv4 address
    converted into IPv6 address space. It may be important to be
    able to filter this properly.

    Not sure what I can give you with Apache. I do not use
    Apache for authentication for my websites. Here are two failed
    attemts to access a file.

    [Tue Jul 12 17:36:24 2005] [error] [client 82.182.126.23] File
    does not exist: /var/www/localhost/htdocs/tnonline.net/sumthin
    [Tue Jul 12 18:00:20 2005] [error] [client 2001:16d8:ff02:0:
    9176:5b40:a39f:644f] File does not exist: /var/www/localhost/
    htdocs/tnonline.net/dfsd

     
  • Cyril Jaquier
    Cyril Jaquier
    2005-07-12

    Logged In: YES
    user_id=933467

    Thank you very much :-)

    Is it possible to give an IPv4 address to ip6tables? I read
    a bit the man pages and it does not seems to be possible :-/

    In general, do you use iptables and ip6tables in parallel?

    I think a good idea would be to replace the <ip> tag by
    <ipv4> and add <ipv6>. An example:

    <ipv4> = 192.168.0.10
    <ipv6> = ::ffff:192.168.0.10

    or

    <ipv4> = undefined
    <ipv6> = 2001:16d8:ff02:0:9176:5b40:a39f:644f

    Is that right that 2001:16d8:ff02:0:9176:5b40:a39f:644f does
    not have a corresponding IPv4 address?

    Thank you

     
  • Gatak
    Gatak
    2005-07-12

    Logged In: YES
    user_id=820001

    No you cannot give ipv4 addresses to ip6tables =/

    Perhaps you would need to do a test:

    if (ipv6==true){
    ip6tables ....
    else
    iptables ....
    }

    Yes you are right that ipv6 addresses do not have
    corresponding ipv4 variants. Only the opposite - which is only
    true for applications listening on both IPv6 and IPv4. So if I
    instruct my sshd to only listen on 0.0.0.0:22 instead of [::]:22
    it will only have pure IPv4 addresses in the log.

     
  • Cyril Jaquier
    Cyril Jaquier
    2005-07-12

    Logged In: YES
    user_id=933467

    Alright but if I give ::ffff:192.168.0.10 to ip6tables, it
    should work. No?

    The idea is to convert every IPv4 addresses to IPv6, take
    IPv6 addresses as they are and use ip6tables with <ipv6>.

    If you do not need IPv6 support, just use iptables with
    <ipv4> tag.

    Good or bad idea?

     
  • Gatak
    Gatak
    2005-07-12

    Logged In: YES
    user_id=820001

    Yes you can give ::ffff:192.168.0.10 to ip6tables, but it will not
    work as you would expect. The reason it would not work is
    because the source address is really IPv4 192.168.0.10. The
    IPv6 transformation is only done in the last step by the
    listening socket after the packet has gone through the firewall.
    At least this is what I believe. I will try to look it up.

     
  • Cálestyo
    Cálestyo
    2010-09-27

    Hi.

    What's the status on this?

    Cheers,
    Chris.