Fail2ban not blocking IPv6

en

#1

Hi
I tried to wrong credentials to some of the app having Fail2ban from an IPv6. Surprisingly Fail2ban did not banned the IP version 6. On IPv4 it works well.

Someone else tried this? If its IPv6 is getting bypassed then there is a big security risk.

Note: The server and client both were on IPv6.


[Security tips inside] How to check if the server is hacked?
#2

For now IPv6 is not really supported in fail2ban. You can see here : https://github.com/fail2ban/fail2ban/blob/master/ChangeLog that it’s will be supported in the 0.10.


#3

@Josue
Thanks for the information. Is there any other alternative way to patch up this ?


#4

We should actually consider to upgrade the fail2ban to 0.10 for Yunohost.


#5

fail2ban will be upgraded while yunohost upgrade to buster I think. Buster might be out probably in June 2018


#6

@Josue
June 2019 :stuck_out_tongue:

I am testing fail2ban 0.10.2 from testing branch on one of my server. Its working well for ipv6 and ipv4 .

fail2ban (0.10.2-1) unstable; urgency=medium This version is a major development leap forward to provide IPv6 support, which also required extensions to the configuration system. That is why it is not unlikely that configuration left from the previous version(s) would either not work or would not work as intended. You are advised to accept new configuration and adjust it for your customizations (if any). See changelog.Debian.gz for more information. – Yaroslav Halchenko <debian@onerussian.com> Sun, 21 Jan 2018 22:25:26 -0500


#7

June 2019 :stuck_out_tongue:

It’s less than one year… :wink:

If you want, you can write a tutorial how to backport fail2ban on debian stretch. And if you have a good motivation, you can also work on the new fail2ban config for Yunohost. It will be really useful for the migration to buster :smile:


#8

I am still testing it and will continue for few days, till I am absolutely sure its working.
The $ iptabes -L --line-numbers don’t show all the fail2ban services but they are working. Someone can tell where the iptables rules are setup on startup of the server?


#9

normally it’s the service yunohost-firewall which add the firewall rule and restart fail2ban to add the fail2ban rule.


#10

I will try these figure out how to use it.


#11

Till Yunohost don’t migrate to buster here is a way to update Fail2ban to version 0.10.xx.

Please do it at your own risk this can break Yunohost.

  1. Update your system$ apt-get update && apt-get upgrade

  2. Create a file debian-testing.list in /etc/apt/sources.list.d/

  3. Put the lines in it:

         deb http://ftp.debian.org/debian testing main contrib non-free
         deb-src http://ftp.debian.org/debian testing main contrib non-free
    
  4. Create a file preferences in /etc/apt/ and put these lines in it:

     Explanation: Uninstall or do not install any Debian-originated
     Explanation: package versions other than those in the stable distro
     Package: *
     Pin: release a=stable
     Pin-Priority: 900
    
  5. Check if the system is not using testing sources $ apt-get update && apt-get upgrade
    Warning:There should be no package to upgrade, if it shows lot of packages to be updated, stop here :stop_sign: some thing did not worked out. Undo changes done in step 3 and 4

  6. Update Fail2ban from testing repo.
    $ apt-get -t testing install fail2ban

All done :partying_face:

Please note that the fail2ban for yunohost stop working after the upgrade which you have to fix by Yunohost fail2ban error