2022-07-26 - sympl-firewall IPv6 blacklisting update

Following up from the update a couple of weeks ago, I’ve just made another update live for Sympl, updating the firewall package to version x.20220719.0.

The only effective change here is to reduce the IPv6 network masks when blacklisting addresses, and in the vast majority of cases, you won’t notice any changes.

For those interested, here’s a bit more information as to what this change actually is (everyone else can skip the rest!):

Previously when the blacklist was triggered for an IPv6 address (from multiple failed attempts to SSH to the server, failed mail logins and so on) rather than blocking the individual IP address, Sympl would block the whole /64 range, which means it’s blocking 18.4 quintillion (18,446,744,073,709,551,616) addresses, or what is often a single LAN or subnet.

This is simply due to the fact that in many IPv6 environments, multiple devices share a large /64 subnet, which are linked to a single ‘owner’, so blocking that whole network makes sense, especially as a single device may have multiple IPs assigned to it.

In most cases, this is fine, but in a few cases where there’s IPv4 to IPv6 NAT in place or reasonably tidy networks, it can result in the whole network being blocked, causing knock-on issues where unexpected things are blocked, going as far as blocking your providers DNS servers or routers, effectively cutting IPv6 off entirely.

With this in mind, the default range block has been cut down to a /112 (the last block of 4 characters in the IPv6 address), which only affects 65,536 IPv6 addresses, and will often block a single device based on the way the addresses are assigned.

While in theory this is less secure than blocking the whole /64 network, in practice we’ve seen little to no evidence of third parties scanning from multiple IPv6 addresses on the same network or host, and most scanning activity tends to come from botnets of compromised servers all over the internet, so this wouldn’t make a significant difference blocking the /64 versus the more targeted /112.

As always, if anyone has any questions, just post here or drop me a private message.

One thing I don’t understand is why the Mythic Beasts IPv6 range kept getting blocked on one of my servers - does that mean another customer was trying to login to my machine?

While it’s not always visible in the control panel (ie: it’s only visible when you don’t have an IPv4 address), Mythic Beasts provide an IPv4 to IPv6 NAT translation which allows you to SSH into an IPv6-only server when you don’t have an IPv6 address.

As this is publicly available it occasionally gets scanned for open services, and the SSH server is visible - this leads to a few attempts with weak passwords, likely from a few different hosts, but due to the NAT this looks like the virtual server’s host server is doing the scanning, leading to it tripping things like the Sympl blacklist rules and fail2ban.

There are longer-term plans to update this and make it less likely to trip like this, but occurrences are fairly uncommon.

No, just someone else on the internet, as the source IP was rewritten due to the translation from IPv4 to IPv6.