• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.


Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

SSH over IPv6

Started by born2host, November 16, 2019, 11:27:46 AM

Previous topic - Next topic


Hi all,

Why not make a test in which the user needs to set up his/her SSH server to accept connections only over IPv6 ?
I know that`s not a big deal, but it`s a step ahead to set up a server to work fully and only with IPv6.


As a concept, I could agree.  However, that particular service isn't practical.  SSH is one of the most attacked services that exists, and the security implications are too great.  Many administrators do not leave the service available to all, having restricted it in some way.  Although the test could be opened to just the IPv6 range of 2001:470::/48 and only during the test, you all would be counting on HE not getting hacked.  Knowledge of the test being from that IPv6 subnet would get out to the public and HE become a greater target.

On my collocated systems, those attempting SSH without the proper sequence go straight to my TCP tarpit (level 1).  I typically have about 800 systems via IPv4 in level 1, which times out, and 200 in level 2, which clears on reboot or manual intervention only, at any one time. Level 2 is entered when a system (by IP) has misbehaved over a certain count of actions.  Actions include accessing closed (or protected) ports, Xmas-tree TCP packets, TCP to multicast addresses, etc....  I also get a handful or 2 of IPv6 bad actors, but most hacks come via IPv4.

Find another service to test.


I got what you mean, but in the same time this is easy to override. HE.net will say "we will try to ssh you from IP 2001:xxxx:xxxx:xxxx::x", so everyone can leave this IP in hosts.allow, everything else hosts.deny/ipsec/ipfw/pf/... -> deny. It`s not that hard to allow 1 IP for 2min test, but for some ppl will be hard to config the sshd to accept connections only through IPv6 especially if the port is different than the default.
Anyway. I leave the decision to HE.net.


Another problem with this is: how do you tell if it is only accessible in IPv6?  If I tell you my IPv6 address and not my IPv4 address, you can't tell if I am open in IPv4.  And even if I did, I could just put in a firewall rule to reject the IPv4 request to that port from an HE source, and that would pass the test.