How to protect your IPv6 Debian server using fail2ban

Dual-stack IPv4 / IPv6 connectivity support was finally added to fail2ban during 2017. This tutorial explains how to install a fail2ban version that protects both IPv4 and IPv6 servers.

The main purpose of fail2ban is to find and temporarily ban IP addresses with aggressive behavior against vulnerable services, analyzing their failed login attempts.

A password attack consists on testing many frequently used passwords (dictionary attack) or all possible combinations of a given length (brute force attack).

A fail2ban version with IPv6 support is available for Debian Stretch and Debian Buster in this Debian repository, though it will be available in the official Debian repository one day.

Update jail.local

Replace the following green lines with the bolded ones in /etc/fail2ban/jail.local (if present only).

[postfix]
filter=postfix-rbl
mode=rbl
[postfix]
filter=postfix-sasl
mode=auth
[sshd]
filter=sshd-aggressive
mode=aggressive
[sshd]
filter=sshd-ddos
mode=ddos

Install or upgrade fail2ban

These commands will install or upgrade fail2ban using either our Debian repository or direct download respectively.

#ncomputers.org/debian
apt-get update
apt-get install fail2ban
wget http://ncomputers.org/debian/fail2ban.deb
apt-get install python3
dpkg -i fail2ban.deb; rm fail2ban.deb

Enable jails to protect vulnerable services

There are many jails you can enable, for more information read /etc/fail2ban/jail.conf, but edit /etc/fail2ban/jail.local instead.

Below are some examples. Once finished, reload the configuration files running fail2ban-client reload command.

[dovecot]
enabled=1
[mysql]
enabled=1
[postfix]
enabled=1
[pure-ftpd]
enabled=1
[roundcube]
enabled=1
[sshd]
enabled=1

Check version and status

Dual-stack IPv4 / IPv6 support was added to version 0.10.0, running the following commands you can check your fail2ban version number and status.

fail2ban-client version fail2ban-client status