Fail2ban - does it work for IPv6 addresses, too?

[szaimen]

@enoch85 do you know if Fail2ban works for IPv6 addresses, too? I've until now only seen IPv4 addresses that get blocked by Fail2ban...

[enoch85]

I'm sure it's supported, but nothing we've implemented yet.

Even though I've got a "Sage T-shirt", my knowledge in IPv6 is very limited.

[szaimen]

I guess we need to investigate

Question is, if ipv6 addresses get logged by nextcloud and sshd if logins were unsuccessful. Do you know if that is the case?

Maybe this works:
https://www.ringingliberty.com/2020/07/16/how-to-setup-fail2ban-with-ufw-to-block-ipv6/

[enoch85]

Any progress here?

[szaimen]

No, since I cannot test if the ipv6 address also gets logged in the nextcloud log:
My server and a testserver are currently only reachable via ipv4. Which doesn't work. I would also need to force the ipv6 addres on a testdevice if I wanted to check if ipv6 address also gets logged inside the nextcloud logfile. Could you maybe test this out on your server?

[szaimen]

@enoch85 I suppose the clouds that you manage are only accessible via IPv4, too?

[enoch85]

Don't know, but I guess not. IPv6 is usually "available" but not default.

[szaimen]

I don't know if you manage cloud.kafit.se but dig cloud.kafit.se aaa +short seems to return an IPv6 address.
If you have access to the logs of that instance, I could try to connect via IPv6 and try to trigger some unsuccessful logins. Than you could have a look if they get logged there...
Edit: the ipv6 address doesn't seem to work. So I guess it is not the correct one of the server or maybe the router from this server doesn't allow ipv6 connections...

[enoch85]

Sorry, I don't have SSH access to Kafit's cloud. :/

[szaimen]

Would also not work since the server doesn't seem to be reachable via their ipv6 record...

[enoch85]

You could try to setup a DigitalOcean VPS (or whatever provider) and enable IPv6 only to see if Fail2ban works or not.

That's how I usually do when I don't have the resources available myself.

[szaimen]

I was now able to test it locally:
this was logged to the nextcloud.log:

{
  "reqId": "4AhKqTdCKZZ3SFIaQwAt",
  "level": 2,
  "time": "2021-05-10T13:56:29+02:00",
  "remoteAddr": "fe80::70b6:8958:833b:8c6a",
  "user": "--",
  "app": "no app in context",
  "method": "POST",
  "url": "/login",
  "message": "Login failed: admin (Remote IP: fe80::70b6:8958:833b:8c6a)",
  "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36",
  "version": "20.0.9.1"
}

So the ipv6 address seems to get logged to the nextcloud.log

[enoch85]

OK, cool, so Fail2ban blocks it as well?

[szaimen]

No, unfortunately it doesn't work with ipv6 addresses. Fail2ban seems to register them as 0.0.0.1 addresses which is obviously wrong. I couldn't make it work with the link I've sent above, either...

[szaimen]

I am unsure how to proceed from here.
I discovered that fail2ban isn't able to block ipv6 addresses and I am not able to fix it...

[enoch85]

Let's close it then? :D

[szaimen]

Let's close it then?

Hm... I suppose so...