On 14/06/2011 08:25, Nikolaos Milas wrote:
I would like to add that, although fail2ban is great and we are using it for a long time, it doesn't support IPv6; now that our servers (we are using CentOS 5.6 x86_64) and networks are IPv6 enabled, this is a problem (but hopefully IPv6-based attacks should not be very common yet). We have not implemented a solution for protecting pop3/imap over IPv6 yet, but I have recently found this article: http://www.roedie.nl/tag/fail2ban/ which suggests autofwd: http://freshmeat.net/projects/autofwd which might provide a good solution. It seems versatile and supports IPv6.
If anybody has done or can do an implementation on Linux (using iptables AND ip6tables) for pop3/imap, pop3s/imaps and share it, it will be most welcome and very useful.
I don't see why fail2ban would have anything to do with ipv6 since it simply runs a script when something needs doing? Just adapt your script? Not having tried it, but possibly the regexps need tweaking also?
On a related note, recent kernels (and old kernels can build a module) implement "ipset". This is a way to implement a named hash of IPs/Ports/MACs, etc. The point is to use a single iptables rule to do something with your ipset, then you have the ability to dynamically alter the ipset as you will without needing to reload iptables rules
(I believe that iptables is still unable to be altered dynamically? Each time you *think* you are inserting a rule, actually you are dropping the entire ruleset, then reinserting the entire new ruleset with one extra rule. This creates a window of opportunity each time you innocently insert a new rule. Further it explains the O(n^2) speed of running "iptables -A" or similar)
For these reasons ipset seems like a great addition!
Ed W