Decide what to do about IPv6

[chesio]

Right now IPv6 is "supported", but given the differences between IPv4 and IPv6, I should consider whether IPv6 should be treated differently. The sheer amount of available (*) IPv6 addresses makes blocklist feature rather inviable.

(*) Available not only in total, but to any single threat actor.

[szepeviktor]

• ban a single IPv6 address ❌
• ban /64 🤔
• ban /56 🤔
• search phrase: isp ipv6 assign prefix

[chesio]

Note: the webhost most our WordPress projects run on, assigns /64 IPv6 prefix to a single VPS instance.

[chesio]

A workaround to IPv6 problem: turn off IPv6 access by removing AAAA records of the domain from DNS 😄

[szepeviktor]

Fail2Ban authors also talk about this problem.
fail2ban/fail2ban#1123 (comment)

[jameskimmel]

I think fail2ban should by default ban /48.
My reasoning for a /48 ban is simple: that is what a some ISPs offer to customers.
That is what I get from my ISP. If you wanted to block me, you would have to block 65k subnets. That is probably too much just to block a single attacker.

Yeah, I already know what you are going to say. "That could falsely ban someone that only gets a /64 from his ISP".
Yes, that is right. I totally agree with that argument. But let's look at IPv4 for a moment.
If we block a single IPv4 address, what happens if that IPv4 is a CG-NAT IP? Well, all users behind that CG-NAT IP will get blocked. Is it fair? No. Is it a sexy solution? No. It is a dirty solution.
BUT the reason why this is dirty is not fail2bans fault! It is the ISPs fault for handing out CG-NAT IPv4 to customers instead of real, public IPv4 addresses. And the same logic in my opinion applies to IPv6. It is not fail2bans fault that some ISPs only offer /64 prefixes.