On 16/6/2011 12:34 πμ, Ed W wrote:
I don't see why fail2ban would have anything to do with ipv6 since it simply runs a script when something needs doing? Just adapt your script? Not having tried it, but possibly the regexps need tweaking also?
Thanks Ed. You could be right. It could work, *if* fail2ban engine does not do any particular internal processing with IP addresses in order to implement the rules logic (which I doubt; for example, when it adds iptables rules, it refers to ip address as <ip> - see below). In the official fail2ban site: http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal#IPv6, we don't see any solution related to IPv6.
If it's feasible, I wonder why we can't find anything about that in the Internet or in fail2ban site. No one has done it yet? On the contrary, we can find ample "complaints" that fail2ban won't work with IPv6. Nowhere can we find ipv6 "filters" and "actions" for fail2ban. If someone (has time and) is sufficiently competent with iptables/ip6tables, then he could try to prepare such actions (and create filters with regex expressions to catch ipv6 events from logs too) and then give it a try.
For example, one could then add in jail.conf (after creating dovecot-pop3imap-ipv6.conf and ip6tables-multiport.conf): [dovecot-pop3imap-ipv6] enabled = true filter = dovecot-pop3imap-ipv6 action = ip6tables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp] logpath = /var/log/dovecot.log maxretry = 10 findtime = 600 bantime = 1800
My guess is that fail2ban engine must be extended to "understand" ipv6 addresses and handle ip6tables appropriately.
On a related note, recent kernels (and old kernels can build a module) implement "ipset". This is a way to implement a named hash of IPs/Ports/MACs, etc. The point is to use a single iptables rule to do something with your ipset, then you have the ability to dynamically alter the ipset as you will without needing to reload iptables rules
It sounds interesting. I'll take a look on it, when I have time. Still, one would have to update fail2ban (and/or other software) to use ipset instead of standard iptables (which will take at least some effort).
(I believe that iptables is still unable to be altered dynamically? Each time you *think* you are inserting a rule, actually you are dropping the entire ruleset, then reinserting the entire new ruleset with one extra rule. This creates a window of opportunity each time you innocently insert a new rule. Further it explains the O(n^2) speed of running "iptables -A" or similar)
Actually, iptables can be altered dynamically; For example, the iptables-multiport action does: actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
"iptables -A" runs only when fail2ban starts.
Nick