chesio / bc-security

Helps keeping WordPress websites secure.
The Unlicense
14 stars 3 forks source link

Decide what to do about IPv6 #140

Open chesio opened 1 year ago

chesio commented 1 year ago

Right now IPv6 is "supported", but given the differences between IPv4 and IPv6, I should consider whether IPv6 should be treated differently. The sheer amount of available (*) IPv6 addresses makes blocklist feature rather inviable.

(*) Available not only in total, but to any single threat actor.

szepeviktor commented 1 year ago
chesio commented 1 year ago

Note: the webhost most our WordPress projects run on, assigns /64 IPv6 prefix to a single VPS instance.

chesio commented 1 year ago

A workaround to IPv6 problem: turn off IPv6 access by removing AAAA records of the domain from DNS 😄

szepeviktor commented 1 year ago

Fail2Ban authors also talk about this problem. https://github.com/fail2ban/fail2ban/issues/1123#issuecomment-210857398

jameskimmel commented 1 year ago

I think fail2ban should by default ban /48. My reasoning for a /48 ban is simple: that is what a some ISPs offer to customers. That is what I get from my ISP. If you wanted to block me, you would have to block 65k subnets. That is probably too much just to block a single attacker.

Yeah, I already know what you are going to say. "That could falsely ban someone that only gets a /64 from his ISP". Yes, that is right. I totally agree with that argument. But let's look at IPv4 for a moment. If we block a single IPv4 address, what happens if that IPv4 is a CG-NAT IP? Well, all users behind that CG-NAT IP will get blocked. Is it fair? No. Is it a sexy solution? No. It is a dirty solution. BUT the reason why this is dirty is not fail2bans fault! It is the ISPs fault for handing out CG-NAT IPv4 to customers instead of real, public IPv4 addresses. And the same logic in my opinion applies to IPv6. It is not fail2bans fault that some ISPs only offer /64 prefixes.