I recently had to work with some servers that have an IPv6 connection and I was surprised to find out that fail2ban does not have IPv6 support, neither does denyhosts.
Searching on google I found that people generally recommend:
- Deactivating ssh login through IPv6 (not a solution for me)
- using only private/public key authentication on the server, with no password authentication (works, but a lot of attacks might cost the server a lot of processing power, or it might even make it unavailable by DDoS-ing it)
- using ip6tables to block consecutive attacks from the same IP
- using sshguard which has IPv6 support
From what I've gathered so far banning addresses in IPv6 is a bit different than on IPv4 because ISPs don't give a user a single address (/128), but a whole subnet (I currently have a /48). Thus banning single IPv6 addresses would be ineffective against attacks. I've searched high and low on the subject of ip6tables and sshguard blocking subnets on attack detection but I haven't managed to find any information.
Does anyone know if sshguard bans subnets on IPv6 attacks?
Does anyone know how to make an ip6tables configuration for banning subnets on IPv6 attacks?
Or does anyone know of a better way of mitigating the attacks than what I've already found?
PS: I'm using CentOS 7 on the system.
Best Answer
In order to attack a server the attacker must first know its IP address. With IPv6 you will have so many addresses to choose from that it is not feasible to find the correct address by scanning the IP range.
This means you can simply assign two different IPv6 addresses to the interface. You let the domain name of your site keep pointing to the same IP address as always, and you let sshd listen only on the newly assigned IP address.
After that change knowing the domain name and IP address of your site will not give an attacker any access to your sshd.
You will of course need a secondary host name to be used when connecting using ssh. That host name can have a lot more entropy than an IPv6 address. Somebody guessing the host name for ssh is inconceivable if you use 63 alphanumeric characters.
Should somebody find out the IPv6 address used for sshd, you simply move sshd to a new IPv6 address and update the AAAA record. Then they have to start all over.
If you are worried that a legitimate ssh user might leak the host name and/or IP addresses, then you can create a different host name for each user to access with ssh. Initially I would CNAME all of them to a single host name such that there is only a single AAAA record to update.