Resolved Fail2Ban IPv6 banning in Obsidian. Correct Plesk Configuration?

[learning_curve]

IPv6 banning within Fail2Ban has been supported in Obsidian since way back HERE but like many people, we didn't upgrade from Onyx, until Obsidian attained General Release status, so we're a little slow posting this question.

Now, with an up to date Obsidian install, we have Fail2Ban 10.3.1 provided by Plesk which supports IPv6 banning (/etc/fail2ban/action.d/iptables-common.conf) but... we still can't see that the IPV6 banning is operational (or not by default after its installation anyway) and indeed, find any, already listed, Plesk compatible method of enabling this functionality.

Both these Obsidian Reference Doc Pages (One & Two) completely ignore IPv6 with the exception of this one unhelpful line:

"Fail2Ban does not provide protection against attackers with an IPv6 address. Fail2ban in Plesk relies solely on IPs (without hostname lookups) unless reconfigured"

Ouside of Plesk, there are many guides / instructions / methods for enabling IPv6 banning with Fail2Ban but just as with the very handy PHP complilations that are also provided by Plesk, you can't just modify whatever you want, without checking for potential collateral damage first... Hence this request for the correct Plesk compatible method

We're assuming that the configuration will be made within /etc/fail2ban/jail.local and/or an additional file created e.g. /etc/fail2ban/jail.d/customisation.local and/or, modifications made to existing files within here: /etc/fail2ban/filter.d because both /etc/fail2ban/jail.conf and /etc/fail2ban/jail.d/plesk.conf are system generated / overwritten files, thus it's pointless applying changes to them.

In theory if Plesk is using iptables with ipset actions, then adding something simple (which covers IPv4 & IPv6) like:

[DEFAULT]
banaction = iptables-ipset-proto6
banaction_allports = iptables-ipset-proto6-allports

into /etc/fail2ban/jail.local might be sufficient to enable this functionality, which, should then present both of the banned IP address sets (IPv4 and IPv6) on the Plesk GUI Fail2ban page. However, it's the provided by Plesk / potential collateral damage risk, which stops us from exploring this any further currently, without any advance Plesk direct input.

 

[learning_curve]

Update. After a very helpful, detailed response from Plesk, IPv6 address banning is enabled by default within Fail2Ban on Obsidian, so no additional configuration is required (On both Onyx to Obsidian upgrades and/or, Obsidian fresh installs)

The two Obsidian Reference Doc Pages (One & Two) that at the time of the above post, completely ignored IPv6 (ref last post) were out of date. They have now been updated / corrected, to avoid any unintenional misdirections like the one above.

The reason that we couldn't we see any IPv6 addresses, listed on our own Fail2Ban GUI page that shows all of the IPv4 addresses that are currently being banned is.... purely timing. Or in other words, at the time we made the above post.... no IPv6 addresses had actually broken any of the jail / filter rules that we have in place in Fail2Ban

EDIT: And as if by some Festive Spirit Intervention (OK - Timing ) we now have banned IPv6 addresses present, within our own Fail2Ban GUI page that's mentioned above. Happy Christmas.

 

[Brujo]

Update. After a very helpful, detailed response from Plesk, IPv6 address banning is enabled by default within Fail2Ban on Obsidian, so no additional configuration is required (On both Onyx to Obsidian upgrades and/or, Obsidian fresh installs)

@learning_curve - do you use ipset within fail2ban? I had a working version under Onyx, but this works only partly under obsidian after upgrade from onyx. Only IPV4 adresses are stored and none IPV6.

Edit: got it fixed had to update the iptables-ipset-proto6.conf - it seems this confs are not updated when upgrading from onyx.
fail2ban/fail2ban

 

[learning_curve]

@learning_curve - do you use ipset within fail2ban?

Not currently, no. At the time of the first post, we thought we would need to, so we were ready to install the Ubuntu 18.04 LTS package and modify that (similar to our frst post & the link you provided etc) and then go from there, but as you can see in our second post, that became unecessary and we can see both IPv4 and IPv6 adddresses now without any issues, by using the default Plesk Obsidian Fail2Ban setup on our customised jails & filters.

 

[Guido]

@Brujo @learning_curve

Hi , I read the above posts.

My problem is that I can't see nor white or blacklist any IPv6 addresses, but a user seems banned because of repeatedly entering a wrong password and having an IPv6 address. With more people moving from IPv4 to IPv6 I assume this issue will increase.

I am running Plesk Obsidian v18.0.46_build1800220905.16 os_CentOS 7 which is installed as an upgrade of earlier versions of Plesk.
When I login to the server I am missing a lot of files that were assumed available in the /etc/fail2ban/ directory according to fail2ban/iptables-ipset-proto6.conf at 0.10 · fail2ban/fail2ban

According to the readme file, I am running fail2ban-0.11.2

Content of jail.local [DEFAULT] destemail = {my email address} maxretry = 3 findtime = 1209600 bantime = 15768000 ignoreip = 127.0.0.1/8 85.149.136.34 77.166.51.138 163.158.89.87 84.85.63.25 95.211.247.176 2a02:a210:213c:1680:440:921c:95d5:27cd [plesk-apache] enabled = true [plesk-apache-badbot] enabled = true [plesk-courierimap] enabled = true [plesk-dovecot] [plesk-horde] [plesk-modsecurity] enabled = false [plesk-panel] enabled = true [plesk-postfix] enabled = true [plesk-proftpd] enabled = true [plesk-qmail] [plesk-roundcube] enabled = true [plesk-wordpress] enabled = true [recidive] enabled = true [ssh] enabled = true


Would adding the lines below in jail.local solve my problem. I would assume the files iptables-ipset-proto6-allports.conf and iptables-ipset-proto6.conf should be present as well?

[DEFAULT]
banaction = iptables-ipset-proto6
banaction_allports = iptables-ipset-proto6-allports


Looking forward to your response.
Kind regards.