Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ipv6 support #108

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Add ipv6 support #108

wants to merge 4 commits into from

Conversation

kiekerjan
Copy link

Added ipv6 support with much inspiration from the code at https://github.com/leshniak/nft-blacklist from @leshniak

@ann0see
Copy link

ann0see commented Jun 16, 2023

Great. Thanks for opening the PR!

@joe-at-startupmedia
Copy link

Interesting contribution. Two things:

  1. Based on the contents of your README, this seems more like a fork than a pull request. I guess submitting a pull request is another way of advertising your fork?

  2. What is the practicality of maintaining an IPV6 blacklist? With IPV4, it was already questionable considering there are 4.3 billion possible IP Addresses. Sure, hackers have access to a much smaller subset which makes maintaining a blacklist worthwhile. IPV6 has 340 undecillion (that's right undecillion is a number) possible IP addresses. Even if hackers only had access to a subset of 1 undecillion, I'm sure maintaining a blacklist at this point is impractical. Thoughts?

@joe-at-startupmedia
Copy link

Relevant paper on the topic:
https://arxiv.org/pdf/2308.08356
Evaluating IP Blacklists Effectiveness (August 2023)
Two mentionable quotes:

  1. "While the work reported in this paper applies and has been evaluated on both IPv4 and IPv6 networks, the evaluation discussed below will be limited to IPv4 as we have not been able to find high-quality and actively maintained IPv6 blacklists."
  2. "Another fact worth remarking is that while both hosts are dual stack, 99% of the attackers use IPv4 addresses."

@thelioncape
Copy link

thelioncape commented Aug 17, 2024
edited
Loading

It's probably worth noting that IPv6 addresses are mostly distributed in /48 blocks, with some ISPs providing /56 or /64 ranges. IPv6 addresses are almost always subnetted into /64 ranges so it should be safe to block a /64 subnet based on an address from that range.

@drzraf
Copy link
Contributor

drzraf commented Sep 26, 2024

It's probably worth noting that IPv6 addresses are mostly distributed in /48 blocks, with some ISPs providing /56 or /64 ranges. IPv6 addresses are almost always subnetted into /64 ranges so it should be safe to block a /64 subnet based on an address from that range.

It's a current practice but not a recommendation (and its also unnatural in many respects: why assign (and block) 18446744073709551616 IPs at once?). OVH, to take one example, only assign 1 IPv6 to their virtual-servers.

drzraf
drzraf reviewed Sep 30, 2024
View reviewed changes
ansible/templates/update-blacklist.conf.j2
BLACKLISTS=(
"{{ blacklists|join("\"\n \"") }}"
)
MAXELEM={{ maxelements }}
MAXELEM={{ maxelements_v6 }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

redefining the same bash variable.

ipset-blacklist.conf
Comment on lines +16 to 25
#"https://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1" # Project Honey Pot Directory of Dictionary Attacker IPs
#"https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1" # TOR Exit Nodes
#"http://danger.rulez.sk/projects/bruteforceblocker/blist.php" # BruteForceBlocker IP List
"https://www.spamhaus.org/drop/drop.txt" # Spamhaus Don't Route Or Peer List (DROP)
#"https://cinsscore.com/list/ci-badguys.txt" # C.I. Army Malicious IP List
#"https://lists.blocklist.de/lists/all.txt" # blocklist.de attackers
#"https://blocklist.greensnow.co/greensnow.txt" # GreenSnow
"https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset" # Firehol Level 1
"https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/stopforumspam_7d.ipset" # Stopforumspam via Firehol
# "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/stopforumspam_7d.ipset" # Stopforumspam via Firehol
# "https://raw.githubusercontent.com/ipverse/rir-ip/master/country/zz/ipv4-aggregated.txt" # Ban an entire country(-code), see https://github.com/ipverse/rir-ip
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should not be part of the PR

update-blacklist.sh
DO_OPTIMIZE_CIDR=no
if exists iprange && [[ ${OPTIMIZE_CIDR:-yes} != no ]]; then
if exists cidr-merger && [[ ${OPTIMIZE_CIDR:-yes} != no ]]; then
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No. cidr-merger is not available on Debian-based. Should be a fallback (or a value to passed to $OPTIMIZE_CIDR)

update-blacklist.sh
done

[[ ${VERBOSE:-no} == yes ]] && echo -e "\\n"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Best to do VERBOSE=${VERBOSE:-no} once at the beginning of the script

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@drzraf drzraf drzraf left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@kiekerjan @ann0see @joe-at-startupmedia @thelioncape @drzraf