[opensuse-factory] Fail2ban 0.10.1 with IPv6 features in security/fail2ban
Dear all! I have just submitted fail2ban 0.10.1 to the security project. This update brought a lot of changes which are documented in the changelog and at https://github.com/fail2ban/fail2ban/blob/0.10/ChangeLog My tests were successful but I can't test with IPv6. Please let me know if you see any issues. I plan to submit the package to factory next week. Best regards, Johannes -- Johannes Weberhofer Weberhofer GmbH, Austria, Vienna -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Johannes Weberhofer wrote:
I have just submitted fail2ban 0.10.1 to the security project. This update brought a lot of changes which are documented in the changelog and at https://github.com/fail2ban/fail2ban/blob/0.10/ChangeLog Thank you. Good to know, that IPv6 is finally coming. Without IPv6 protection, a lot servers are unprotected against IPv6 clients.
My tests were successful but I can't test with IPv6. Please let me know if you see any issues. I plan to submit the package to factory next week. My home Internet provider also does not offer IPv6. My idea is to test in LAN. Usually every IPv6 capable host in LAN gets a link-local address in network fe80::/64. So you can try to test with a local IPv6 address to access e.g. password protected Apache folders multiple times until Fail2ban fires.
Unfortunately I can run this with IPv4, but IPv6 gives me an error. Ideas? IPv4 with 127.0.0.100 (an address in the localhost network) $ wget --bind-address=127.0.0.100 http://localhost/mythweb --2017-10-24 14:06:00-- http://localhost/mythweb Resolving localhost (localhost)... 127.0.0.1, ::1 Connecting to localhost (localhost)|127.0.0.1|:80... connected. HTTP request sent, awaiting response... 401 Unauthorized Username/Password Authentication Failed. IPv6 with fe80:0000:0000:0000:0000:0000:0000:000a (a link-local IPv6 address) $ wget --bind-address=fe80:0000:0000:0000:0000:0000:0000:000a \ 'http://[fe80:0000:0000:0000:0000:0000:0000:0001]/mythweb' --2017-10-24 14:08:43-- http://[fe80:0000:0000:0000:0000:0000:0000:0001]/mythweb Connecting to fe80:0000:0000:0000:0000:0000:0000:0001 (fe80:0000:0000:0000:0000:0000:0000:0001)|fe80::1|:80... failed: Invalid argument. Greetings, Björn -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Okt 24 2017, Bjoern Voigt <bjoernv@arcor.de> wrote:
$ wget --bind-address=fe80:0000:0000:0000:0000:0000:0000:000a \ 'http://[fe80:0000:0000:0000:0000:0000:0000:0001]/mythweb' --2017-10-24 14:08:43-- http://[fe80:0000:0000:0000:0000:0000:0000:0001]/mythweb Connecting to fe80:0000:0000:0000:0000:0000:0000:0001 (fe80:0000:0000:0000:0000:0000:0000:0001)|fe80::1|:80... failed: Invalid argument.
A link-local address needs to be qualified with the interface (eg. fe80::1%eth0). Andreas. -- Andreas Schwab, SUSE Labs, schwab@suse.de GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE 1748 E4D4 88E3 0EEA B9D7 "And now for something completely different." -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Andreas Schwab wrote:
On Okt 24 2017, Bjoern Voigt <bjoernv@arcor.de> wrote:
$ wget --bind-address=fe80:0000:0000:0000:0000:0000:0000:000a \ 'http://[fe80:0000:0000:0000:0000:0000:0000:0001]/mythweb' --2017-10-24 14:08:43-- http://[fe80:0000:0000:0000:0000:0000:0000:0001]/mythweb Connecting to fe80:0000:0000:0000:0000:0000:0000:0001 (fe80:0000:0000:0000:0000:0000:0000:0001)|fe80::1|:80... failed: Invalid argument. A link-local address needs to be qualified with the interface (eg. fe80::1%eth0). Oh, thanks. I forgot this. But unfortunately "wget" still does not play with this IPv6 syntax. br0 is my bridge to the first network adapter eno1.
$ wget -6 --bind-address=fe80::a%br0 http://[fe80::1%br0]/mythweb http://[fe80::1%br0]/mythweb: Invalid IPv6 numeric address. Next try is to enable IPv6 on my Fritz!Box router for the LAN only. Greetings, Björn -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 10/24/2017 09:29 AM, Bjoern Voigt wrote:
A link-local address needs to be qualified with the interface
(eg. fe80::1%eth0). Oh, thanks. I forgot this. But unfortunately "wget" still does not play with this IPv6 syntax. br0 is my bridge to the first network adapter eno1.
$ wget -6 --bind-address=fe80::a%br0 http://[fe80::1%br0]/mythweb http://[fe80::1%br0]/mythweb: Invalid IPv6 numeric address.
As I mentioned in another note, Unique Local Addresses will work fine. Like RFC 1918 addresses on IPv4, they can be routed etc., but not onto the Internet. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Citeren Bjoern Voigt <bjoernv@arcor.de>:
Andreas Schwab wrote:
On Okt 24 2017, Bjoern Voigt <bjoernv@arcor.de> wrote:
$ wget --bind-address=fe80:0000:0000:0000:0000:0000:0000:000a \ 'http://[fe80:0000:0000:0000:0000:0000:0000:0001]/mythweb' --2017-10-24 14:08:43-- http://[fe80:0000:0000:0000:0000:0000:0000:0001]/mythweb Connecting to fe80:0000:0000:0000:0000:0000:0000:0001 (fe80:0000:0000:0000:0000:0000:0000:0001)|fe80::1|:80... failed: Invalid argument. A link-local address needs to be qualified with the interface (eg. fe80::1%eth0). Oh, thanks. I forgot this. But unfortunately "wget" still does not play with this IPv6 syntax. br0 is my bridge to the first network adapter eno1.
$ wget -6 --bind-address=fe80::a%br0 http://[fe80::1%br0]/mythweb http://[fe80::1%br0]/mythweb: Invalid IPv6 numeric address.
Next try is to enable IPv6 on my Fritz!Box router for the LAN only.
If you have a routeable (non RFC-1918) IPv4 address, setting up a (free) 6in4 tunnel through Hurricane Electric (https://www.tunnelbroker.net/) could also be an option. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 10/24/2017 08:18 AM, Bjoern Voigt wrote:
My home Internet provider also does not offer IPv6. My idea is to test in LAN. Usually every IPv6 capable host in LAN gets a link-local address in network fe80::/64. So you can try to test with a local IPv6 address to access e.g. password protected Apache folders multiple times until Fail2ban fires.
Unfortunately I can run this with IPv4, but IPv6 gives me an error. Ideas?
You're better off testing with Unique Local Addresses, which are the IPv6 equivalent of IPv4 RFC 1918 addresses. The problem with link local addresses is they're often difficult to work with. You have to specify the interface to be used and some apps, such as browsers, tend not to work with them. You can create a ULA prefix by appending 10 random hex digits to f8. https://en.wikipedia.org/wiki/Unique_local_address -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (5)
-
Andreas Schwab -
Arjen de Korte -
Bjoern Voigt -
James Knott -
Johannes Weberhofer