[colug-432] IPv6 adventures

R P Herrold herrold at owlriver.com
Mon Aug 31 10:21:17 EDT 2015 

The IPv6 address calculator tool I mentioned was:
	ipv6calc
for more easily building PTR records
	http://www.deepspace6.net/projects/ipv6calc.html

On Mon, 31 Aug 2015, Rob Funk wrote:

> was still protecting them. Then I went ahead and got IPv6 going on my
> Linode VPS. (nginx was a bit of a pain, and logcheck needed some
> pattern updates, but I think the only real snag is fail2ban.)

fail2ban has a push to get ipv6 support working on its devel 
list atm; wrappers and iptables are already mature as to ipv6 
ACLs

I see this in my nightly log reviews:

 Refused incoming connections:
       2604:a880:800:10::970:a001 (2604:a880:800:10::970:a001): 2 Time(s)
       2604:a880:800:10::ec:8001 (2604:a880:800:10::ec:8001): 2 Time(s)
       2604:a880:800:10::fd:7001 (2604:a880:800:10::fd:7001): 1 Time(s)
       2604:a880:800:10::fd:9001 (2604:a880:800:10::fd:9001): 2 Time(s)
       2604:a880:800:10::fe:d001 (2604:a880:800:10::fe:d001): 4 Time(s)
       2604:a880:800:10::fe:f001 (2604:a880:800:10::fe:f001): 2 Time(s)
 
probing an sshd.  The /64 for this is all the same, so I 
suspect a tool using forged source ipv6 addresses, all coming 
back to the same host, to avoid triggering limiting looks like 
fail2ban.  The obvious countermeasure is to simply match on 
the LHS /64 ;)

 
> One thing is starting to concern me though: My home machines seem to
> be slowly accumulating more global-scope IPv6 addresses on the network
> that Time-Warner assigned. They started with two (one based on the MAC
> address and one seemingly random), but now they have four and five
> addresses.
> 
> Anyone know what's up with that? Something weird with dhcp6?

Probably multiple units thinking they are the 'authortative' 
radvd.  On the clients a ip6tables rule pair like this may 
help:

-A FORWARD -p ipv6-icmp --icmpv6-type 
	router-advertisement -s fe80::202:b3ff:feda:5e8b -j ACCEPT
-A FORWARD -p ipv6-icmp --icmpv6-type 
	router-advertisement -j DROP

for all but wanted radvd's.  [We intentionally use the 
Link-Local side, not the Global scoped source, to reduce the 
likelihood of successful 'spoofing' from external 'forgers' -- 
^fe packets do not properly cross router boundries] The log 
files on the radvd's should be settable to a debug level to 
show the MAC addresses of the clients they are servicing

TCPDUMP should also know how to display only that packet type.  
Write an ! host rule for known radvd's and see what other MAC 
addresses are talking that ICMP packet type.  The 'man' page 
for my local version suggests crafting such rules is left as 
an exercise of the reader ;)

-- Russ herrold

More information about the colug-432 mailing list