szepeviktor
commented
1 year ago - ban a single IPv6 address ❌
- ban /64 🤔
- ban /56 🤔
- search phrase:
isp ipv6 assign prefix
Open chesio opened 1 year ago
szepeviktor
commented
1 year ago isp ipv6 assign prefix
chesio
commented
1 year ago Note: the webhost most our WordPress projects run on, assigns /64 IPv6 prefix to a single VPS instance.
chesio
commented
1 year ago A workaround to IPv6 problem: turn off IPv6 access by removing AAAA records of the domain from DNS 😄
szepeviktor
commented
1 year ago Fail2Ban authors also talk about this problem. https://github.com/fail2ban/fail2ban/issues/1123#issuecomment-210857398
jameskimmel
commented
1 year ago I think fail2ban should by default ban /48. My reasoning for a /48 ban is simple: that is what a some ISPs offer to customers. That is what I get from my ISP. If you wanted to block me, you would have to block 65k subnets. That is probably too much just to block a single attacker.
Yeah, I already know what you are going to say. "That could falsely ban someone that only gets a /64 from his ISP". Yes, that is right. I totally agree with that argument. But let's look at IPv4 for a moment. If we block a single IPv4 address, what happens if that IPv4 is a CG-NAT IP? Well, all users behind that CG-NAT IP will get blocked. Is it fair? No. Is it a sexy solution? No. It is a dirty solution. BUT the reason why this is dirty is not fail2bans fault! It is the ISPs fault for handing out CG-NAT IPv4 to customers instead of real, public IPv4 addresses. And the same logic in my opinion applies to IPv6. It is not fail2bans fault that some ISPs only offer /64 prefixes.
Right now IPv6 is "supported", but given the differences between IPv4 and IPv6, I should consider whether IPv6 should be treated differently. The sheer amount of available (*) IPv6 addresses makes blocklist feature rather inviable.
(*) Available not only in total, but to any single threat actor.