On 16/06/11 12:12, Nikolaos Milas wrote:
On 16/6/2011 12:34 πμ, Ed W wrote:
I don't see why fail2ban would have anything to do with ipv6 since it simply runs a script when something needs doing? Just adapt your script? Not having tried it, but possibly the regexps need tweaking also?
Thanks Ed. You could be right. It could work, *if* fail2ban engine does not do any particular internal processing with IP addresses in order to implement the rules logic (which I doubt; for example, when it adds iptables rules, it refers to ip address as <ip> - see below). In the official fail2ban site: http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal#IPv6, we don't see any solution related to IPv6.
If it's feasible, I wonder why we can't find anything about that in the Internet or in fail2ban site. No one has done it yet? On the contrary, we can find ample "complaints" that fail2ban won't work with IPv6.
There has been some discussion on the fail2ban mailing list about ipv6 support implementations lately. Please see http://sourceforge.net/mailarchive/forum.php?forum_name=fail2ban-users (thank you SF for the awesome UI).
Nowhere can we find ipv6 "filters" and "actions" for fail2ban.
As long as fail2ban has no support for catching ipv6 ip addresses, there is no use for a filter that can handle these. Adaptation of the iptables actions to ip6tables would be trivial, though.
If someone (has time and) is sufficiently competent with iptables/ip6tables, then he could try to prepare such actions (and create filters with regex expressions to catch ipv6 events from logs too) and then give it a try.
Again, most of the pros, cons and implementation issues came along on the mailing list. I suggest that you take your fail2ban issue there, since this is no dovecot issue :)
-- Regards,
Tom