How to setup fail2ban with ufw to block IPv6?

Gill-Bates asked:

Since fail2ban Version 0.10 IPv6 is supported. I used fail2ban in conjunction with ufw. I found that only IPv4 addresses are blocked. This is unfavorable.

According to the fail2ban changelog it says that not all banactions have been extended to IPv6 yet. Does anyone know a reliable way to get fail2ban to block IPv4 and IPv6?

My answer:

I wouldn’t worry too much about it. I’m seeing virtually no malicious traffic on IPv6 that would trigger fail2ban anyway, over a variety of public hosts. All the banactions will eventually get IPv6 support, but if you know any Python you can consider helping by adding the missing support yourself and submitting patches.

That said, the most performant banaction you can use with ufw is iptables-ipset-*, and using the IPv6 version of these banactions will apply to both IPv6 and IPv4.

banaction = iptables-ipset-proto6
banaction = iptables-ipset-proto6-allports

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.