Join the community today
Register Now

Security Sysadmin Block All Visitors using IPV6

Discussion in 'System Administration' started by ndha, Mar 27, 2018.

Tags:
  1. ndha

    ndha Member

    69
    9
    8
    Sep 28, 2014
    Ratings:
    +27
    Local Time:
    7:41 AM
    Latest
    10
    Hi @eva2000 and all members,

    Recently my site got scrap/grab using search function in wordpress,
    after bot doing that scrap/grab thing it will be post into APK..
    I'd already look into all logs and see so many search function using IPV6..

    So how can i block totally all visitors/BOT using IPV6 ???
    Thanks for the answer and help..

    Regards,
     
  2. JJC84

    JJC84 Premium Member Premium Member

    170
    74
    28
    Jan 31, 2018
    Ratings:
    +101
    Local Time:
    7:41 PM
    1.13.9
    10.1
    You might just want to recompile nginx and disable IPV6 in /etc/centminmod/custom_config.inc you need to add this then you recompile.

    DISABLE_IPVSIX='y'

    Someone let me know if I got any of that wrong. Thanks!
     
    • Like Like x 1
  3. ndha

    ndha Member

    69
    9
    8
    Sep 28, 2014
    Ratings:
    +27
    Local Time:
    7:41 AM
    Latest
    10
    Hi, maybe you don't get what i mean :)
    your answer is for disabling ipv6 in our server..
    What i mean is totally block visitors/users that using IPv6 from their IP..
    Thanks for your reply..
     
  4. JJC84

    JJC84 Premium Member Premium Member

    170
    74
    28
    Jan 31, 2018
    Ratings:
    +101
    Local Time:
    7:41 PM
    1.13.9
    10.1
    You can do that.
    ip6tables -I FORWARD -o eth0 -j REJECT
     
    • Like Like x 1
  5. eva2000

    eva2000 Administrator Staff Member

    36,018
    7,900
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,182
    Local Time:
    10:41 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    @JJC84 no need to use iptables directly, CSF Firewall can do it easily.

    If your server has IPv6 networking enabled, you can just block/deny IPv6 ips same way you do for IPv4 ips using csf CSF Firewall - CentminMod.com LEMP Nginx web stack for CentOS
    just use IPv6 address instead of IPv4
     
    • Agree Agree x 1
  6. eva2000

    eva2000 Administrator Staff Member

    36,018
    7,900
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,182
    Local Time:
    10:41 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    technically @JJC84 is correct, only way to prevent IPv6 usage on web server level is to disable Nginx support for IPv6 completely. Unless you just want to ban bad IPv6 using CSF Firewall.

    But if you want to stop serving IPv6 requests at Nginx server level, you have to prevent Nginx supporting IPv6 either by disabling it at Nginx compile time or remove IPv6 related listening on Nginx vhost's listening directives so Nginx only listens to IPv4 which is Centmin Mod out of box default usually unless you add manually IPv6 related listening directives to your Nginx vhost.
     
    • Agree Agree x 1
  7. JJC84

    JJC84 Premium Member Premium Member

    170
    74
    28
    Jan 31, 2018
    Ratings:
    +101
    Local Time:
    7:41 PM
    1.13.9
    10.1
    You're right it's better to use CSF, but I couldn't think of how to do it off the top of my head besides iptables6.
     
    • Like Like x 1
  8. JJC84

    JJC84 Premium Member Premium Member

    170
    74
    28
    Jan 31, 2018
    Ratings:
    +101
    Local Time:
    7:41 PM
    1.13.9
    10.1
    I would honestly just disable it on the server level, but that's not always desirable of necessary, so there are plenty of other ways to do the same thing actually as you have illustrated.
     
  9. eva2000

    eva2000 Administrator Staff Member

    36,018
    7,900
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,182
    Local Time:
    10:41 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    csf commands to allow deny ips is easy

    -a = allow and -d = deny
    Code (Text):
    csf -a IP
    csf -d IP
    


    Or you can implement my bad bot blocking and rating limiting method outlined at Security - Blocking bad or aggressive bots though it relies on user agent detection.
     
    • Informative Informative x 1
  10. ndha

    ndha Member

    69
    9
    8
    Sep 28, 2014
    Ratings:
    +27
    Local Time:
    7:41 AM
    Latest
    10
    Yes all answer is correct,
    I already disable IPV6 since day 1 using CMM and don't had any IPv6 related listening on Nginx vhost's.
    If i use csf -d xxx.xxx.xxx.xxx it will be many to add manually, cause the IPv6 that BOT use to access my site is always change every seconds.
    I already use your BOT Limit config too but nothing change..
    Sometime this BOT cause high CPU use (mysql).

    Here is the example:
    Code:
    2601:703:4000:6ee0:4e4e:acff:fe09:de8d - - [27/Mar/2018:04:56:45 +0700] "GET / HTTP/1.0" 200 22037 "https://www.domain.org/?s=grab+something" ......... 
    So i want to block that automatically BOT IPV6, is it possible??
     
    • Informative Informative x 1
  11. JJC84

    JJC84 Premium Member Premium Member

    170
    74
    28
    Jan 31, 2018
    Ratings:
    +101
    Local Time:
    7:41 PM
    1.13.9
    10.1
    That sounds like a fairly annoying security threat.
     
    • Like Like x 1
  12. eva2000

    eva2000 Administrator Staff Member

    36,018
    7,900
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,182
    Local Time:
    10:41 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Latest Nginx versions default to IPv6 enabled even if you don't enable it these days so you could still have Nginx with IPv6 support. But if you don't set or config listeners to support IPv6 it shouldn't answer those IPv6 requests as far as I know.

    Make sure your domain DNS doesn't resolve for AAAA records too
    Code (Text):
    host -t AAAA yourdomain.com
    

    Code (Text):
    ping6 -c4 yourdomain.com
    
     
    • Like Like x 1
  13. eva2000

    eva2000 Administrator Staff Member

    36,018
    7,900
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,182
    Local Time:
    10:41 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    does it have a user agent in logs ? post example of full access log entry
     
    • Like Like x 1
  14. eva2000

    eva2000 Administrator Staff Member

    36,018
    7,900
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,182
    Local Time:
    10:41 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    One more important thing CSF Firewall, bad bot blocking and even fail2ban out of box default will not work if you have Cloudflare in front of your site as firewall would not be able to determine real visitor's IP. You'd need to do blocking at Cloudflare's firewall edge/end.

    fail2ban implementation i posted at Security - fail2ban for Centmin Mod + CSF Firewall / Cloudflare API can be configured to talk to Cloudflare's firewall via API but firewall limits for free and non-Enterprise Cloudflare accounts is very low and not useful at all.

    upload_2018-3-27_8-27-28.png
     
    • Informative Informative x 1
  15. ndha

    ndha Member

    69
    9
    8
    Sep 28, 2014
    Ratings:
    +27
    Local Time:
    7:41 AM
    Latest
    10
    Yeahhh now i totally disabled Wordpress Search Function and use Google CSE to replace it,
    it helps a bit and CPU/LOAD cooling down a little but still high than usual.

    Nope, not resolve to any of those..
    connect: Network is unreachable when i do ping6 to domain.

    it had user agent header, example :
    Code (Text):
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/603.2.4 (KHTML, like Gecko) Version/10.1.1 Safari/603.2.4"
    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299"
    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.162 Safari/537.36"

    user agent header always different that's why can't rely on it maybe.

    Yes i'm using Cloudflare already block that user agent header from CF Firewall and lot of IPv6 too but seem useless cause always different ipv6..
    Also already tried disable CF for a while, it make more worse, CPU/LOAD always Full..
     
  16. eva2000

    eva2000 Administrator Staff Member

    36,018
    7,900
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,182
    Local Time:
    10:41 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    example of the full access.log entry not just user agent ?

    If you really have IPv6 disabled, your server shouldn't be answering IPv6 client requests at all. Try testing domain at IPv6 domain readiness tester

    cloudflare itself allows IPv6 on it's edge servers

    example testing for centmin.sh domain which is cloudflare backed mirror for centminmod.com

    upload_2018-3-27_8-42-43.png

    You need to rate limit requests then. Just make sure you have nginx configured for real ip forwarding (via
    set_real_ip_from) otherwise nginx only sees Cloudflare IP instead of visitor's IP see FAQ item 5 at Getting Started Guide - CentminMod.com LEMP Nginx web stack for CentOS linking to Nginx Cloudflare & Incapsula (reverse proxy HttpRealIpModule) - CentminMod.com LEMP Nginx web stack for CentOS
     
    • Informative Informative x 1
  17. ndha

    ndha Member

    69
    9
    8
    Sep 28, 2014
    Ratings:
    +27
    Local Time:
    7:41 AM
    Latest
    10
    Code (Text):
    2607:fb90:7d7e:4264:dc26:aaf8:f5cb:5198 - - [27/Mar/2018:03:53:13 +0700] "GET / HTTP/1.0" 200 22037 "https://www.domain.org/?s=grab+something" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36"
    
    2601:582:302:2f72:7ae1:3ff:fed0:4014 - - [27/Mar/2018:03:53:14 +0700] "GET / HTTP/1.0" 200 22037 "https://www.domain.org/?s=grab+something" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/603.2.4 (KHTML, like Gecko) Version/10.1.1 Safari/603.2.4"
    
    2600:1702:6c0:ae30:8a71:e5ff:fe66:a7cb - - [27/Mar/2018:03:53:15 +0700] "GET / HTTP/1.0" 200 22037 "https://www.domain.org/?s=grab+something" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/602.4.8 (KHTML, like Gecko) Version/10.0.3 Safari/602.4.8"

    at IPv6 domain readiness tester:
    Screenshot_1.jpg

    Yes i already using CF real IP forwarding..
     
  18. eva2000

    eva2000 Administrator Staff Member

    36,018
    7,900
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,182
    Local Time:
    10:41 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    sounds like you need to rate limit those requests Nginx - Nginx rate limiting new article

    though you shouldn't be responding to IPv6 requests if Nginx vhost listen directives aren't configured for it. To double check try using curl header checks for both IPv4 and IPv6 with cloudflare in front and bypassing cloudflare

    with cloudflare IPv6
    Code (Text):
    curl -I6v http://yourdomain.com
    
    curl -I6v https://yourdomain.com
    

    IPv4
    Code (Text):
    curl -I4v http://yourdomain.com
    
    curl -I4v https://yourdomain.com
    

    bypassing cloudflare replacing YOURREALSERVER_IP with your server's real IP and yourdomain.com with your domain name
    Code (Text):
    curl -I6v --resolve 'yourdomain.com:80:YOURREALSERVER_IP' http://yourdomain.com
    
    curl -I6v --resolve 'yourdomain.com:443:YOURREALSERVER_IP' https://yourdomain.com
    

    IPv4
    Code (Text):
    curl -I4v --resolve 'yourdomain.com:80:YOURREALSERVER_IP' http://yourdomain.com
    
    curl -I4v --resolve 'yourdomain.com:443:YOURREALSERVER_IP' https://yourdomain.com
    


    top part of the curl header output shows what IP address curl connects to for your domain while rest of curl header output can verify which site you landed on due to other headers showed

    i.e.
    Code (Text):
    curl -I6v http://centmin.sh
    * About to connect() to centmin.sh port 80 (#0)
    *   Trying 2400:cb00:2048:1::681b:ac9a...
    * Connected to centmin.sh (2400:cb00:2048:1::681b:ac9a) port 80 (#0)
    > HEAD / HTTP/1.1
    > User-Agent: curl/7.29.0
    

    Code (Text):
    curl -I4v http://centmin.sh
    * About to connect() to centmin.sh port 80 (#0)
    *   Trying 104.27.172.154...
    * Connected to centmin.sh (104.27.172.154) port 80 (#0)
    > HEAD / HTTP/1.1
    > User-Agent: curl/7.29.0
    

    when domain and server not configured for IPv6 would get
    Code (Text):
    curl -I6v http://domain.com
    * Could not resolve host: domain.com; Name or service not known
    * Closing connection 0
    curl: (6) Could not resolve host: domain.com; Name or service not known
    
     
    • Like Like x 1
  19. eva2000

    eva2000 Administrator Staff Member

    36,018
    7,900
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,182
    Local Time:
    10:41 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    • Like Like x 1
  20. ndha

    ndha Member

    69
    9
    8
    Sep 28, 2014
    Ratings:
    +27
    Local Time:
    7:41 AM
    Latest
    10
    @eva2000
    for curl -I6v https://yourdomain.com = Network Unreachable
    for curl -I6v --resolve 'yourdomain.com:443:YOURREALSERVER_IP' https://yourdomain.com = Connection Closed

    i also already did all that tutorial for disable ipv6..

    for nginx rate limit,
    how to rate limit this url : https://domain.org/?s=* (*=any random search)
    anyone can give some example to limit access to wordpress search function above ??\
    Thanks..
     
..