Folks,
Searched the archives and found a few IPv6 inquiries, but only that there are no plans to support it. While I'm not a programmer, I suspect it would actually be fairly simple to implement (please correct me if I'm wrong).
This is starting to become a priority for me. I need to monitor my ssh servers, but they all only respond now to ipv6, so I can't :-(.
For those of you who care, after monitoring my ipv6 only ssh logs, the automated attacks against my servers has dropped from over 10,000 attacks per day to 0. Have not had a single attack in months. Haven't seen that in over 10 years now. I'm sure this is only a temporary thing, but it sure is nice.
I have only one other piece of software I can't replace (besides hobbit) that needs to support ipv6 and I will be ready. Those of you watching the bogon list might know how close we are to complete ipv4 exhaustion, and in some areas of the world ipv4 addresses are no longer available.
If there is anything I can do to expedite a move to support ipv6, let me know.
Thanx,
David A. Bandel
Focus on the dream, not the competition. - Nemesis Air Racing Team motto
Security through obscurity only works until it becomes main stream. You still want to be proactive against SSH attacks (or whatever else). Just because you moved down the street doesn't mean the thieves won't steal your lawn gnomes!
With IPv6 becoming more and more abundant I think it should be implemented but I don't find any use for it in my world (today!).
Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373
Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer
On Fri, Nov 28, 2008 at 1:53 PM, David A. Bandel <david.bandel at gmail.com>wrote:
Folks,
Searched the archives and found a few IPv6 inquiries, but only that there are no plans to support it. While I'm not a programmer, I suspect it would actually be fairly simple to implement (please correct me if I'm wrong).
This is starting to become a priority for me. I need to monitor my ssh servers, but they all only respond now to ipv6, so I can't :-(.
For those of you who care, after monitoring my ipv6 only ssh logs, the automated attacks against my servers has dropped from over 10,000 attacks per day to 0. Have not had a single attack in months. Haven't seen that in over 10 years now. I'm sure this is only a temporary thing, but it sure is nice.
I have only one other piece of software I can't replace (besides hobbit) that needs to support ipv6 and I will be ready. Those of you watching the bogon list might know how close we are to complete ipv4 exhaustion, and in some areas of the world ipv4 addresses are no longer available.
If there is anything I can do to expedite a move to support ipv6, let me know.
Thanx,
David A. Bandel
Focus on the dream, not the competition. - Nemesis Air Racing Team motto
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
On Fri, Nov 28, 2008 at 2:17 PM, Josh Luthman <josh at imaginenetworksllc.com> wrote:
Hmm. Top-posting. Must be a lawyer.
Security through obscurity only works until it becomes main stream. You still want to be proactive against SSH attacks (or whatever else). Just because you moved down the street doesn't mean the thieves won't steal your lawn gnomes!
I haven't removed/downgraded any security I use, I just find it refreshing not to be wading through the myriad entries in auth.log showing 'ssh invalid user' and all. I didn't expect this, it's just a bene that my log files are less cluttered (by many hundred k per day).
With IPv6 becoming more and more abundant I think it should be implemented but I don't find any use for it in my world (today!).
And that's your excuse for procrastinating? Honestly, it's easier than you think, but it will take time to implement. Start soon, really, you'll be glad you did.
I have a short story that presents a frightening scenario for procrastinators which I hope does not come to pass, but I don't want to find out the hard way that it's true. Has to do with several ICAAN board members that are very unhappy and annoyed that IPv6 adoption is so slow and what they have discussed seriously to give folks a hard shove (I wouldn't want to be standing on the ipv4-only ledge if any of what I heard is true).
Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373
Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer
Ciao,
David A. Bandel
Focus on the dream, not the competition. - Nemesis Air Racing Team motto
I'm top-posting because it's Gmail's default.
Reading through logs on a day to day basis just isn't feasible - these things have to be automated. My point is just because you don't have SSH login attempts doesn't mean you can waive something like DenyHosts.
I really don't have an excuse, however, I do have other tasks to complete before this one that doesn't have a deadline.
Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373
Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer
On Fri, Nov 28, 2008 at 2:37 PM, David A. Bandel <david.bandel at gmail.com>wrote:
On Fri, Nov 28, 2008 at 2:17 PM, Josh Luthman <josh at imaginenetworksllc.com> wrote:
Hmm. Top-posting. Must be a lawyer.
Security through obscurity only works until it becomes main stream. You still want to be proactive against SSH attacks (or whatever else). Just because you moved down the street doesn't mean the thieves won't steal your lawn gnomes!
I haven't removed/downgraded any security I use, I just find it refreshing not to be wading through the myriad entries in auth.log showing 'ssh invalid user' and all. I didn't expect this, it's just a bene that my log files are less cluttered (by many hundred k per day).
With IPv6 becoming more and more abundant I think it should be
implemented
but I don't find any use for it in my world (today!).
And that's your excuse for procrastinating? Honestly, it's easier than you think, but it will take time to implement. Start soon, really, you'll be glad you did.
I have a short story that presents a frightening scenario for procrastinators which I hope does not come to pass, but I don't want to find out the hard way that it's true. Has to do with several ICAAN board members that are very unhappy and annoyed that IPv6 adoption is so slow and what they have discussed seriously to give folks a hard shove (I wouldn't want to be standing on the ipv4-only ledge if any of what I heard is true).
Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373
Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer
Ciao,
David A. Bandel
Focus on the dream, not the competition. - Nemesis Air Racing Team motto
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
On Fri, Nov 28, 2008 at 2:55 PM, Josh Luthman <josh at imaginenetworksllc.com> wrote:
I'm top-posting because it's Gmail's default.
Reading through logs on a day to day basis just isn't feasible - these
Who has time?
things have to be automated. My point is just because you don't have SSH login attempts doesn't mean you can waive something like DenyHosts.
As I said. I have all this. I was just surprised the first automated report that came in after turning off ipv4 bindings that there were no entries listed, and that my log file for the day was much smaller. Not sure why you'd take my comment that the attacks were mitigated to somehow suggest I dropped all security measures. Heck, I spent a whole day trying to figure out what was going on and why no entries (couldn't believe there just were no attacks).
The note about fewer (in this case cessation) of attacks I just found very interesting (I still think it's interesting). Now I'm watching for when they actually start (and from where -- I expect China as that's where IPv6 is being heavily deployed and is the origin of many ipv4 attacks).
You have me confused with Microsoft -- ensuring all my security measures still work correctly in IPv6 was my first priority. ip6tables is a good start, btw.
I just need to start monitoring IPv6 -- for those services binding both protocols as well as those few that are only bound to IPv6. I need to know if my mail server, web server, etc., is only responding to one or the other or both now that I have two protocols running (vice one).
Ciao,
David A. Bandel
Focus on the dream, not the competition. - Nemesis Air Racing Team motto
On Fri, 28 Nov 2008, David A. Bandel wrote:
This is starting to become a priority for me. I need to monitor my ssh servers, but they all only respond now to ipv6, so I can't :-(.
It seems to me that it should be quite possible to monitor the servers without hobbit itself supporting ipv6. The only thing that's necessary is a host that has both ipv4 and ipv6 (that host can be the hobbit server) and acts as a gateway with the help of a little scripting. That should be no more difficult than monitoring Novell servers with IPX.
Ulric
participants (3)
-
david.bandel@gmail.com
-
josh@imaginenetworksllc.com
-
ulric@siag.nu