You might want to doublecheck if the fail2ban version you're using has IPv6 support -- just sayin' :-)
Conversation
It should really be about fully disabling legacy SSH password authentication. Presence of fail2ban is a strong sign of poor security.
Worth noting it's standard to be given a /64 or /56 IPv6 block. Some providers still only give a /128 but that's just poor setup on their part.
1
1) You are assuming fail2ban is only usable with SSH, but it's not.
2) It is possible to ban IP ranges, as opposed to single IP addresses.
3) It's not about A 'xor' B -- nobody is implying fail2ban should be your one and only single line of defense.
2
3
The problem with banning IP ranges is that there's a huge amount of collateral damage. Many people have an IPv6 /64 or /56 but many only have a /128. An attacker can get multiple addresses in the same block specifically to perform a denial of service attack for the rest of it.
Even doing banning based on a single IPv4 address can have a lot of collateral damage beyond just shared networks like a university or workplace. IPv4 has run out and CGNAT is increasingly widespread, even beyond mobile data.
IP rate limits and bans easily become a DoS vector.
1
1
1
3
If your ISP gives its customers a /128, the collateral damage is well-deserved. 😉
1
1
9
Show replies
One probably needs to get a bit smarter, and start with a block at X, and grow the prefix block size if/when needed. Please also note that, for services operated for/by mere mortals, particularly non-web, the chances of real collateral effects are reduced.
2
e.g., it's not that you have a bunch of people regularly hitting port 465, 22, or the like.... Or a bunch of people in the same network as the attacker, who would end up suffering from the collateral damage.