Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: SSH over IPv6  (Read 104 times)

born2host

  • Newbie
  • *
  • Posts: 8
SSH over IPv6
« on: November 16, 2019, 11:27:46 AM »

Hi all,

Why not make a test in which the user needs to set up his/her SSH server to accept connections only over IPv6 ?
I know that`s not a big deal, but it`s a step ahead to set up a server to work fully and only with IPv6.
Logged

snarked

  • Hero Member
  • *****
  • Posts: 766
Re: SSH over IPv6
« Reply #1 on: November 17, 2019, 08:06:23 AM »

As a concept, I could agree.  However, that particular service isnít practical.  SSH is one of the most attacked services that exists, and the security implications are too great.  Many administrators do not leave the service available to all, having restricted it in some way.  Although the test could be opened to just the IPv6 range of 2001:470::/48 and only during the test, you all would be counting on HE not getting hacked.  Knowledge of the test being from that IPv6 subnet would get out to the public and HE become a greater target.

On my collocated systems, those attempting SSH without the proper sequence go straight to my TCP tarpit (level 1).  I typically have about 800 systems via IPv4 in level 1, which times out, and 200 in level 2, which clears on reboot or manual intervention only, at any one time. Level 2 is entered when a system (by IP) has misbehaved over a certain count of actions.  Actions include accessing closed (or protected) ports, Xmas-tree TCP packets, TCP to multicast addresses, etc....  I also get a handful or 2 of IPv6 bad actors, but most hacks come via IPv4.

Find another service to test.
Logged

born2host

  • Newbie
  • *
  • Posts: 8
Re: SSH over IPv6
« Reply #2 on: November 17, 2019, 08:17:56 AM »

I got what you mean, but in the same time this is easy to override. HE.net will say "we will try to ssh you from IP 2001:xxxx:xxxx:xxxx::x", so everyone can leave this IP in hosts.allow, everything else hosts.deny/ipsec/ipfw/pf/... -> deny. It`s not that hard to allow 1 IP for 2min test, but for some ppl will be hard to config the sshd to accept connections only through IPv6 especially if the port is different than the default.
Anyway. I leave the decision to HE.net.
Logged