On 08/03/2025 14:03, Julian Bradfield via mailop wrote:
On 2025-03-08, Marco Moock via mailop <mailop@mailop.org> wrote:
Am 08.03.2025 um 11:56:56 Uhr schrieb Alessandro Vesely via mailop:
I read that since v0.10 fail2ban supports the matching of IPv6
addresses. I don't use it, so I don't know how it works.
It can check for IPv6 addresses in the log and ban single IPv6
addresses, but I've never seen that it can escalate banning to entire
networks depending on the amount of already banned IPs in a subnet.
It wouldn't be hard to tweak so that it bans /64s instead of single
IPs. The adaptive widening is something I thought about doing offline
in a separate cron job script, but I don't get enough IPv6 connections
to make it worth the effort.
I /simulated/ IPv6 attacks. Ipqbdb uses a simple array of ranges, for
example /128, /64, /56, /48, /36, /32, /28, /24, /20, /12, and a
logarithmic function that computes an index into it. To devise suitable
parameters for that function I coded a TESTipv6[*] program that
simulates random attacks and draws a histogram of the results. Then
tried various sets of numbers.
As few as IPv6 connections are in real life (barely reaching 5% of
traffic), they are enough to ban a handful of ranges.
Best
Ale
--
[*]
http://svn.savannah.gnu.org/viewvc/ipqbdb/trunk/test/TESTipv6.c?revision=115&view=markup
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
